Beruflich Dokumente
Kultur Dokumente
In Collaborative Computing
Published:
Xukai Zou
Indiana University-Purdue University Indianapolis, USA
Yuan-Shun Dai
University of Tennessee, USA
Yi Pan
Georgia State University, USA
World Scientific
NEW JERSEY • LONDON • SINGAPORE • BEIJING • SHANGHAI • HONG KONG • TA I P E I • CHENNAI
For photocopying of material in this volume, please pay a copying fee through the Copyright
Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA. In this case permission to
photocopy is not required from the publisher.
ISBN-13 978-981-270-368-2
ISBN-10 981-270-368-3
Printed in Singapore.
This book is dedicated to Xukai’s wife Suqin and Yuanshun’s wife Jiafeng.
Yi Pan would like to thank Sherry, Marissa and Anna for their love,
support and encouragement during the preparation of the book.
v
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
Preface
vii
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
Acknowledgments
The authors would like to thank many people for their help during the
writing and publishing of the book. We thank the colleagues from World
Scientific Inc. for their support and guidance to the book. We also thank
the help on editing some content from our students Leah Cardaci, Ashhar
Madni and our lead network engineer Scott Orr, on drawing some figures
from our students Manish Madhusoodan and Xiang Ran, and on proof-
reading from Lori M. Bruns, Associate Faculty in the English Department
at IUPUI.
This work was partially supported by the U.S. NSF grant CCR-0311577
and IUPUI RSFG (Research Support Funding Grant).
ix
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
Contents
Preface vii
Acknowledgments ix
List of Figures xv
1. Introduction 1
1.1 Overview of Trusted Collaborative Computing . . . . . . 1
1.2 Basic Concepts in Terms of Security . . . . . . . . . . . . 3
1.3 Basic Concepts in Terms of Reliability . . . . . . . . . . . 9
1.4 Abbreviations and Notations . . . . . . . . . . . . . . . . 13
1.5 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
xi
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
2.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Contents xiii
Bibliography 207
Index 225
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
List of Figures
xv
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
3.10 Running times for hidding key: based on the polynomial degree. 91
3.11 Running times for extracting key: based on number of users. . 92
3.12 Running times for extracting key: based on the polynomial degree. 93
List of Tables
xvii
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
Chapter 1
Introduction
1
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
Introduction 3
Introduction 5
Definition 1.5. Let G be a cyclic group of very large finite order n, which
without loss of generality we denote multiplicatively. Let α ∈ G be a
generator of G, thus, for any element β ∈ G, there is a unique positive
integer a, 0 ≤ a ≤ n − 1 such that β = αa . The related Discrete Logarithm
Problem (DLP) can be stated as follows: Given the group G, the generator
α and an element β ∈ G, determine the unique a ∈ [0, n − 1] such that
β = αa . We denote the integer a by logα β.
Introduction 7
Definition 1.7. Let n = pq where p and q are large primes. Let the
ciphertext space and the plaintext space be both Zn , and define
K = {(n, p, q, a, b) : ab ≡ 1 mod φ(n)}.
For K = (n, p, q, a, b), define
the encryption rule as eK (x) = xb mod n
and
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
Introduction 9
• The size of each share does not exceed that of the original secret.
• When k is kept fixed, Di pieces can be dynamically added or re-
moved without affecting the other Di pieces.
• It is easy to change the Di pieces without changing the original
secret D - all we need is a new polynomial q(x) with the same
a0 . This method would enhance the security because the pieces
exposed by security breaches cannot be accumulated unless all of
them are values of the same version of the q(x) polynomial.
• A hierarchical scheme can be obtained in which the number of
pieces needed to determine D depends on an individual’s impor-
tance. For example, a person of the higher importance can be given
two or more shares.
Definition 1.10. Reliability is the probability that the system will perform
its intended function under specified working condition for a specified period
of time.
Mathematically, the reliability function R(t) is the probability that a
system will be successfully operating without failure in the interval from
time 0 to time t:
R(t) = P (T > t), t≥0 (1.1)
where T is a random variable representing the failure time or time-to-failure.
Definition 1.11. The mean time to failure (MTTF) is defined as the ex-
pected value of the lifetime before a failure occurs.
Suppose that the reliability function for a system is given by R(t), the
MTTF can be computed as
∞ ∞
MT T F = t · f (t)dt = R(t)dt (1.2)
0 0
Introduction 11
∞ ∞
1
MT T F = R(t)dt = exp(−λt)dt = (1.3)
λ
0 0
with system designers to ensure that the system product can be maintained
cost effectively.
Let T denote the time to repair or the total downtime. If the repair time
T has a density function g(t), then the maintainability, V (t), is defined as
the probability that the failed system will be back in service by time t, i.e.,
t
V (t) = P (T ≤ t) = g(x)dx
0
An important measure often used in maintenance studies is the mean time
to repair (MTTR) or the mean downtime. MTTR is the expected value of
the repair time.
System repair time usually consists of two separate intervals: passive
repair time and active repair time. Passive repair time is mainly determined
by the time taken by service engineers in preparation, such as traveling to
the customer site. In many cases, the cost of travel time could exceed
the cost of the actual repair. Active repair time is directly affected by
the system design. The active repair time can be reduced significantly by
designing the system in such a way that faults may be quickly detected and
isolated. As more complex systems are designed, it becomes more difficult
to isolate the faults.
Another important reliability related concept is system availability.
This is a measure that takes both reliability and maintainability into ac-
count.
Different from the reliability that focuses on a period of time when the
system is free of failures, availability concerns a time point in which the
system does not stay at the failed state. Mathematically,
A(t) =Pr(System is up or available at time instant t)
The availability function, which is a complex function of time, has a sim-
ple steady-state or asymptotic expression. In fact, usually we are mainly
concerned with systems running for a long time. The steady-state or asymp-
totic availability is given by
System up time
A = lim A(t) =
t→∞ System up time+System down time
= MTTF MTTF
+MTTR
The mean time between failures (MTBF) is another important measure
in repairable systems. This implies that the system has failed and has
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
1.5 Outline
This book consists of seven chapters, which are listed and described, as
follows:
Chapter 1. This chapter presents an introductory overview of TCC.
The chapter begins by introducing central problems of TCC, such as se-
curity and dependability in CC environments. It proceeds to introduce
preliminaries for TCC and notations used in the rest of the book. Finally,
an outline of the subsequent chapters of the book is presented.
Chapter 2. This chapter discusses the first one of the main security re-
quirements/functions in TCC environments: secure group communication
(SGC) and interaction. The primary issue for SGC is group key manage-
ment. This chapter gives a comprehensive overview over the state-of-art
group key management schemes. The chapter also contains a discussion on
secure dynamic conferences (SDC).
Chapter 3. This chapter discusses another important security require-
ment and function in TCC environments: data sharing/exchange and access
control. The chapter mainly focuses on cryptography based hierarchical ac-
cess control (CHAC) techniques.
Chapter 4. In this chapter, we discuss and classify intrusion attacks,
their corresponding detection and response technologies. In particular, we
discuss typical traceback techniques and introduce a new DoS/DDoS de-
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
Introduction 15
Introduction 13
been repaired. Like MTTF and MTTR, MTBF is an expected value of the
random variable time between failures. Mathematically, MTBF=MTTR+
MTTF.
Example 1.3. If a system has a lifetime distribution function F (t) =
1 − exp(−λt) and a maintainability function V (t) = 1 − exp(−µt), then
MTTF=1/λ and MTTR=1/µ. The MTBF is the sum of MTTF and MTTR
and the steady-state availability is
1/λ µ
A = MT TMT TF
R+MT T F = 1/λ+1/µ = λ+µ
Abbreviations:
ACP – Access Control Polynomial
CA – Central Authenticator
CPRS – Computerized Patient Record System
DLKM – Dual-Level Key Management
DoS – Denial of Service
DDoS – Distributed Denial of Service
DIDS – Distributed Intrusion Detection System
GC – Group Controller
GSI – Globus Security Infrastrcuture
HAC – Hierarchical Access Control
HIDS – Host based Intrusion Detection System
IDS – Intrusion Detection System
KMS – Key Management Server
LCM – Least Common Multiple
MANET – Mobile Ad hoc NETworks
MTST –Minimal Task Spanning Tree
NIDS – Network based Intrusion Detection System
RMS – Resource Management System
PKI – Public Key Infrastructure
SOS – Secure Overlay Service
VISTA – Veterans Health Information Systems and Technology Architec-
ture
VO – Virtual Organization
Notations:
SIDi Every valid user/machine is assigned a permanent secret key SIDi
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
Chapter 2
17
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
As discussed in the previous section, the secrecy and privacy of the group
communication is achieved by encrypting the group messages by a secret
key, which is known only by the members of the group. The secret key, also
known as group key is accessible only to the group members and hence, only
the group members can decrypt the messages. Obviously, the mechanism
for sharing such a secret group key amongst the members of the group has
to be secure and efficient. Therefore, the first and often most important
problem facing SGC is that of key management.
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
(TEK)
k 0−7
k 0−3 k 4−7
k 0−1 k 2−3 k k
4−5 6−7
k0 k1 k3 k4 k6 k7
k2 k5
U0 U1 U3 U4 U5 U6 U
7
Join / Leave
TEK
U U U U U U
the more members there are, the more chances they will have to share
keys, and the shared keys are updated just once in each batch operation.
There have been some schemes proposed by batch rekeying based on the
key tree scheme [Lee et al. (2002); Li et al. (2001); Pegueroles and Rico-
Novella (2003); Setia et al. (2000); Zhang et al. (2001)]. Most recently, the
authors in [Ng et al. (2007)] propose a balanced batch rekeying scheme.
The scheme consists of three algorithms: two merging algorithms and one
balanced batch rekeying algorithm. The two merging algorithms mainly
deal with batch join operations and the balanced batch rekeying algorithm,
which repeatedly calls (one of the) two merging algorithms, mainly deals
with the batch leaving operations. The main feature of all three algorithms
is to minimize the height difference in the key tree without adding extra
communication costs. We briefly summarize its three algorithms below.
Let ST A and ST B be two subtrees which will be merged and d be
the degree of the key tree. Let Hmin , Hmax , Hmin ST X and Hmax ST X
be the minimum height of a leaf node in a key tree, the maximum height of
a leaf node in a key tree, Hmin of a subtree ST X, and Hmax of a subtree
ST X. Let Hinsert =Hmin ST A − Hmax ST B .
The balanced batch rekeying algorithm is described in Figure 2.3.
MergeAlgorithm 1 is called when Hmax ST A − Hmin ST B > 1 and
Hmax ST A − Hmax ST B ≥ 1 and is described in Figure 2.4.
MergeAlgorithm 2 is called when Hmax ST A − Hmin ST B ≤ 1 and
Hmax ST A − Hmax ST B ≤ 1 and is described in Figure 2.5.
After the key tree has been reorganized, the GC needs to inform the
members of their new locations so that the members can identify their
October 27, 2007 1:39 World Scientific Book - 9in x 6in tcc
Algorithm 2.1.
/* Balanced Batch Rekeying Algorithm */
Find and mark all key nodes needing to be updated.
/*They are on the paths from each leaving member to the root */
Remove all marked key nodes.
/*So, two types elements left: remaining subtrees&joining members */
Classify all siblings of the leaving members as joining members.
/*Because all KEYs the leaving members store cannot be used */
Group the joining members into subtrees, each with d members.
/*Except the last one having 1 to d − 1 members */
Repeatly mearge two minimum subtrees until one subtree left.
/*either MergeAlgithm 1 or MergeAlgorithm 2 is called */
Form the update and rekey messages and multicast to members.
Algorithm 2.2.
/* Algorithm 1 for merging ST A and ST B */
Compute Hinsert =Hmin ST A − Hmax ST B .
For d > 2, search for an empty child node in ST A at level Hinsert
or Hinsert − 1.
/*if Hinsert = 0, levels 0 and 1 are searched */
If such a node exists, insert ST B as the child of the node. Done.
Mark a proper node at level Hinsert or 1 if Hinsert = 0.
/*The marked proper node is the one with the greatest number of leaf
nodes at level Hmin ST A and denoted as Ninsert ST A */
If d > 2, search the root of ST B for an empty node.
If such a node exists, insert Ninsert ST A as the child of ST B and
insert ST B at the old location of Ninsert ST A . Done.
Create a new node at the old location of Ninsert ST A and insert
Ninsert ST A and ST B as the children of the new node.
Algorithm 2.3.
/* Algorithm 2 for merging ST A and ST B */
For d > 2, search for the root of ST A for an empty child node.
If it exists, insert ST B at the empty child node. Done.
Create a new key node at the root and inserts ST A and ST B
as its children.
routers forming the shortest path between the router to which a member
host is directly attached and one of the core routers. The GI provides each
core with membership control information in the form of a member inclu-
sion list or a member exclusion list. A member wishing to join a group,
sends the join request to one of the cores. On approval from the core,
the path connecting the member to the core tree forms a new part of the
group multicast tree. The GI may act as a Key Distribution Center (KDC),
which generates two keys: the Data Encryption Key (DEK) and the Key
Encryption Key (KEK). The KDC sends these two keys to the new member
through a secure channel. To update the DEK on member join, the KDC
multicasts to the group the new DEK encrypted with KEK. CBT assumes
that a member once removed, would not receive any further multicast mes-
sages and hence would not harm the group. This assumption is not valid
in a global multicast environment. In addition, good core replacement is a
difficult problem.
Sherman et al. [Sherman and McGrew (2003)] proposed the One-way
Function Tree (OFT) scheme. The OFT scheme assumes the presence of
a secure channel between the GC and every group member. The scheme
also uses a logical key tree (as in LKH) maintained by the GC with group
members placed at the leaf nodes. Every node x in the OFT key tree has 3
values associated with it 1) the node secret Sx , 2) the blinded node secret
Bx = f (Sx ) and 3) the node key Kx = g(Sx ), here f () and g() are one way
functions known by the GC and the nodes. The GC randomly generates the
node secrets for the leaf nodes and calculates the node keys and the blinded
node secrets. For all the internal nodes, the node secret is Sx = Bxl ⊕ Bxr ,
where xr and xl are the right and left children nodes of node x respectively.
The GC calculates node secrets, blinded node secrets and node keys in a
bottom up manner.
For every node x, the GC encrypts the blinded node secret Bx by Kx̂
and broadcasts it, where Kx̂ is the node key of sibling x̂ of node x. Every
leaf node gets its secrets by a unicast message from the GC. Any member x
can calculate its own node key as Kx = g(Sx ) and the blinded node secret
as Bx = f (Sx ). x can calculate the blinded key of its sibling from the
broadcast from the GC. Using its own blinded key and the sibling’s blinded
key, x can get the parent node p’s node secret. Using parent’s secret x can
get secrets of parent of p. Continuing this way, a member x gets all the
keys from its node to the root and also the root key which is the group key.
In case of a member join or leave, the GC changes the node secret of the
sibling of the node at which change took place. The GC also recomputes all
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
the secrets for the path from leaf where change took place to the root and
rebroadcasts the encrypted blinded node secrets. Thus, upon receiving the
rekeying broadcasts, all the members can reconstruct the tree and get the
keys along the path from their leaf to the root. The main advantage of OFT
over LKH is that the number of broadcast messages is halved from 2log(n)
to log(n). Canetti et al. [Canetti et al. (1999a)] proposed the One-way
Function Chain (OFC) scheme, which is a variation of the OFT scheme.
2.2.2.1 Iolus
In 1997, Mittra proposed Iolus [Mittra (1997b)]. In Iolus, a framework
with a hierarchy of agents is used to divide a large group into a number
of subgroups. The basic idea is to avoid the membership change in one
subgroup to affect the keys in any other subgroup.
A group is decomposed into a number of several subgroups located at
different levels of a tree. A Group Security Agent (GSA) manages each sub-
group. The GSA of the top-level group (root subgroup) is called the Group
Security Controller (GSC). The other GSAs are called Group Security In-
termediaries (GSI). Each subgroup has independent keys and there is no
common group key shared by all members. The GSI is a bridge between its
parent subgroup and its own subgroup, and possesses both subgroup keys.
The members encrypt the messages using the subgroup key and send it to
the GSI. On receiving the message, the GSI decrypts it, re-encrypts the
message with the key of the adjacent subgroup and retransmits the mes-
sage to the adjacent group. An example is illustrated in Figure 2.6. Let
us assume a member of the subgroup 3 (say u3 ) wishes to send a message
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
GSC
k0
GSI
GSI
GSA 1 GSA 2
k1 k2
E k (D k (y 3 )) y1 =E k (M)
1 3 1
GSI GSI
GSI
E k (D k 1 ( y1 ) )
y3=E k3(M) 4
and using a different encryption key for each slice of time. A Binary Hash
Tree (BHT) is created from a single root seed and the leaves form the
encryption keys. The internal nodes are also known as seeds. Users who
wish to communicate receive the seeds required to generate the required
keys. The keys in the proposed scheme change with time, and hence cannot
be used in applications where dynamic membership change occurs.
In 2000, Setia et al. proposed Kronos [Setia et al. (2000)], a scalable
group-rekeying approach for secure multicast. Kronos is based on the idea
of periodic group re-keying, i.e. a new group key is generated after a certain
period of time instead of every instant when a member joins or leaves. Kro-
nos does not employ the central controller for generation of keys and hence
is fault-tolerant. However, achieving clock synchronization in distributed
environments can be hard. Additionally, the security of the group can be
compromised as the scheme uses a previous key to obtain a new key.
and l + 1, 2v + 1
, respectively. Every node l, v
except for the root node
is associated with a secret key kl,v and a blinded key bkl,v = f (kl,v ),
where f (x) = g x mod p. The key kl,v of a parent node is the Diffie-
Hellman key of its two children, i.e., kl,v = g kl+1,2v kl+1,2v+1 mod p =
f (kl+1,2v kl+1,2v+1 ), thus, the secret key kl,v of a node can be formed
from the secret key of one of its two children and the blinded key of the other
child by using the Diffie-Hellman key exchange protocol. Every blinded key
bkl,v is publicly broadcast by some member(s) to the group. All group
members are hosted on leaf nodes respectively. Every member Ui selects
its own Diffie-Hellman private share ai , and computes the corresponding
Diffie-Hellman disguised public share bi . Suppose a leaf node l, v
hosts
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
member Ui , then the secret key kl,v for the node is ai , and the blinded
key bkl,v = g kl,v ) is bi . Member Ui can compute all secret keys from its
leaf node l, v
to the root node 0, 0
, and of course, Ui will receive all
blinded keys in the key tree. The root node has secret key k0,0 , and there
is no need for bk0,0 . The group data encryption key (DEK) is obtained
by passing k0,0 through a one-way function.
a1 a2
a3 g
gg a6 g a4a5
<0,0> g
a4a5 g a4a5
g
a6 g g a6
a1a2 a1a2 −−> g
a3 g a3 g <1,1>
g −−> g g <1,0>
ga1a2 ga1a2
−−> g
<2,0> <2,1> <2,2> ga4a5 a4a5 <2,3>
−−> gg
U3:a3−>ga3 U6:a6−>ga6
U4:a4−>g a4
U1: a1−>ga1 U2:a2−>ga2 U5:a5−>ga5
Fig. 2.7 Tree based Group Diffie-Hellman key agreement. The notation k → g k means
that members compute the secret key k, then compute the blinded key.
secret key of vi ’s child on the path, and the blinded key of the other child
of vi .
Summaries of the join and leave operations follow. A sponsor is a mem-
ber defined as follows: (i) The sponsor of a subtree is the member hosted
on the rightmost leaf in the subtree, and (ii) The sponsor of a leaf node v
is the member hosted on the rightmost leaf node (other than itself) of the
lowest subtree to which v belongs.
When a new member U requests to join the group, U begins by broad-
casting its public share. Next, all pre-existing members determine the inser-
tion location for U on the tree, and determine U ’s sponsor. Each member
updates the key tree by adding a new (leaf) node for U , a new internal
node, and removes all secret keys and blinded keys from the sponsor’s leaf
node to the root node. Then, the sponsor generates its new private share,
computes all secret and blinded keys from its leaf node to the root, and
broadcasts all new blinded keys. Every member computes the new root
key after receiving the new blinded keys. It can be seen that the root key
is computed in one round. Similarly, the root key can be computed in one
round for a single leave. Generally, for multiple leaves there will be multiple
sponsors. The sponsors need to collaborate to compute secret and blinded
keys in multiple rounds in a way similar to the initial setting up phase, lim-
ited by O(log2 (n)). After all sponsors compute and broadcast all blinded
keys, every member can compute the root key. Similarly, multiple joins
(and merging) can be performed in multiple rounds. A network partition
can be treated as “multiple leaves” from the point of view of any subgroup
resulting from the partition.
2.2.4.1 DGKD
The DGKD scheme assumes existence of a virtual tree structure as in pre-
vious schemes. But the major difference is that every leaf node has the
public key of the member present at that leaf while the internal nodes have
secret keys (see Figure 2.8). Every member manages this virtual tree inde-
pendently and updates it upon membership changes. The DGKD scheme
eliminates the need of a trusted central authority and introduces the con-
cept of sponsors and co-distributors. All group members have the same
capability and are equally trusted. Also, they have equal responsibility,
i.e. any group member could be a potential sponsor of other members or a
co-distributor (depending on the relative locations of the member and the
joining/leaving members in the tree). If a sponsor node fails, a new spon-
sor for the joining/leaving member is chosen by other members, making the
scheme robust.
A sponsor is a group member and the sponsor of a subtree is defined as
the member hosted on the rightmost leaf in the subtree (note: “rightmost”
can be equally replaced with “leftmost”). Every node has a sponsor which
is responsible for maintaining the node key. Figure 2.8 shows a DGKD tree
and the nodes’ sponsors. The sponsors can be determined efficiently. A
co-distributor of a sponsor is the sponsor of a node on another path whose
key is not known to the original sponsor.
Whenever there is a member change (either join or leave), the sponsor
initiates the key change and rekeying process. The rekeying process consists
of 2 rounds. In the first round, the sponsor sends the changed keys to
co-distributors, by encrypting the new keys with the public keys of the co-
distributors. In the next round, the co-distributors distribute the changed
keys to their respective members in a parallel manner.
The example shown in Figure 2.9 explains the above principle. Sup-
pose current members are U0 , U1 , U2 , U3 , U4 , U6 , U7 . When a new member
joins, all members can determine its position in the tree (here as U5 ) and
also determine that U4 is the sponsor of U5 . So U4 initiates the rekeying
process as follows: 1) generates new keys k4−5 , k4−7 , and k0−7 . 2) after
determining the co-distributors U3 and U7 , encrypts as follows and broad-
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
k 0−7 (TEK)
sponser : U 7
k 6−7(KEK)
k 0−1 k 4−5(KEK) k 4−5(KEK)
sponser :U 7
sponser :U sponser :U sponser :U 5
1 3
pk 6 pk 7
pk 5
pk 0 pk 1 pk 2 pk 3 pk 4 U6
U5 U7
U0 U1 U2 U3 U4
k 0−7
’ (TEK)
Co−Distributor
pk 1 pk pk pk 4 pk 5 pk 6 pk7
pk 0 2 3
U1 U2 U3 U4
U0 U5 U6 U7
Sponsor New member
Fig. 2.9 A new member joins (becomes U5 ), U4 is sponsor and U3 and U7 are co-
distributors.
casts: {k4−7 , k0−7 }pk7 , and {k0−7 }pk3 . 3) U3 will decrypt k0−7 and encrypt
it as {k0−7 }k0−3 and U7 will decrypt k4−7 and k0−7 and encrypt them as
{k4−7 }k6−7 and {k0−7 }k4−7 . 4) U4 also encrypts and sends the keys to U5 as
{k4−5 , k4−7 , k0−7 }pk5 . As a result, all the members will get the new keys.
The DGKD scheme gives various algorithms for deciding a sponsor (co-
distributors) and handling join and leave operations. It is worthy to men-
tion that the DGKD scheme also addresses the issue of member authenti-
cation due to the use of public keys.
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
2.3.1.1 CRTDH
The CRTDH scheme [Balachandran et al. (2005)] uses the Chinese Re-
mainder Theorem (see Theorem 1.1) and Diffie-Hellman key exchange (see
Definition 1.8) to achieve distributed key agreement for secure group com-
munication in wireless ad hoc networks. Assuming a group of n users,
{U1 , U2 , ..., Un } has to be formed, the following operations are performed
by each member Ui (where i = 1, ..., n) to obtain the shared group
key.
Ui selects the Diffie-Hellman (DH) private share xi and broadcasts the
public share yi = g xi mod p. Ui then receives the public shares from all
other members in the group and computes the DH key shared with each of
them as mij = yixi mod p, where j = 1, ..., i − 1, i + 1, ..., n. Each member
then finds the Least Common Multiple (LCM) of the DH keys computed
in the previous step. Let the LCM be lcmi . Ui then randomly selects ki ,
its share for the group key. It also selects two arbitrary numbers, D and
Dp such that D = ki and gcd(Dp , lcmi ) = 1. Each member then solves the
CRT
crti = ki mod lcmi
crti = D mod Dp
and broadcasts it to the group. Once Ui receives the CRT value from all
the other members in the group, it can obtain their corresponding secret
shares by computing kj = crtj mod mij , where j = i. It then computes
the key as GK = k1 ⊕ k2 ⊕ ... ⊕ kn .
Explanations of the operations to be performed when a new member
joins a group follow. Let us assume the member U5 wishes to join an
existing group of four members {U1 , U2 , U3 , U4 }.
In case of multiple joins, all the joining members should execute the
above steps to contribute their shares towards the group key. The existing
members then XOR all key shares from the newly joining members to get
the new group key. This makes multiple joins very efficient since exist-
ing members only perform XOR operations with all the contributed key
shares. Also, the join operation (single/multiple) involves only two rounds
of communication: one unicast message and one broadcast message.
The leave operation is similar to the join operation but consists of only
one round. Let us assume U2 is going to leave the group. Then the following
operations need to be performed:
• Any one of the remaining members, say U1 , should redo the key
agreement steps. Here, the LCM value is computed from the DH
keys that a member shares with the other members in the group.
For the leave operation, the DH key that U1 shares with U2 should
be left out of this LCM computation. Then, U1 selects a new key
share k1 and computes the CRT, which is broadcast to the group.
• The other members receive the crt1 value from U1 and calculate the
new k1 value. The new group key GKnew is computed as follows
GKnew = GK ⊕ k1
In case of multiple leaves, all the leaving members should be left out of
the LCM computation as shown above. No extra computation is needed
since the protocol need not be repeated for each leaving member. Thus,
the CRTDH protocol efficiently supports leave operations and more impor-
tantly multiple leave operations in a single round of computation.
eral provably authenticated protocols for group key exchange have been
proposed. We discuss some AKE protocols in this section.
2.3.2.1 AUTH-CRTDH
We first describe AUTH-CRTDH, a key management scheme for mobile
ad hoc networks with authentication capability. Auth-CRTDH is an im-
provement and extension to CRTDH discussed in Section 2.3.1.1. The users
utilize the services of a central key generation center (KGC) for obtaining
a secret corresponding to the ID. This central entity is different than a
Group Controller (GC) (present in many schemes) as the services of the
KGC are required only at system setup and it does not participate in the
key agreement procedure. The operations performed at the KGC can be
thought of as offline operations that need to be performed prior to the for-
mation of any ad hoc environment. However, these operations ensure that
each node in the ad hoc network can authenticate itself to any other node
in the network. We also propose changes in the join and leave algorithms in
CRTDH to make the scheme resistant to Least Common Multiple (LCM)
attacks. The proposed scheme is described below. Before getting into
AUTH-CRTDH, we describe the attacks on CRTDH including the LCM
attacks as follows.
The CRTDH protocol, in its current form, lacks mutual authentication
among members and hence is vulnerable to the Man-in-the-Middle attack.
CRTDH also suffers from another kind of attack, which we call the LCM
attack. The attack is possible due to the fact that the LCM for any given
set of numbers is not unique to the given set. In other words, there could
be many more numbers that could possibly be added to the set and still
result in the same LCM value. This could cause problems in the member
join and member leave operations.
• The LCM attack on member join. Assume that there exists a group
of four members, {U1 , U2 , U3 , U4 } who share the group key GK and
a user U5 wishes to join the group. The member join operation in
CRTDH requires one of the members (closest to the newly added
member) to provide the new member with the hash value of the
current group key, along with the public DH shares of the current
group members i.e. h(GK) and y1 , y2 , y3 , y4 . User U5 executes the
steps in the key agreement procedure (as described previously) and
broadcasts the CRT value crt5 along with its DH public share y5 .
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
EIDi = h(IDi )
Si = EIDid ( mod n)
When a user Ui registers with the system, he sends his IDi to the
KGC, which performs the steps 4 and 5 mentioned above. The KGC sends
(n, g, h, Si ) to Ui . Ui keeps Si secret and stores the public information
(n, g, h). In addition, the ID of each user is publicly known.
B. Key Agreement
In order to establish the group key for a group with m members, each
member Ui should execute the following steps, where i = 1, 2, ..., m.
Ai = Si · g 2xi (mod n)
Bi = g 3xi (mod n)
If the equation holds true, then the user computes the DH shared
secret with each of the members as follows:
GK = k1 ⊕ k2 ⊕ ... ⊕ kn
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
Thus the Chinese Remainder Theorem is used to send the secret key share
of each user (disguised) to all the other members in the group. The mutual
authentication is provided by using an ID based scheme.
the authors assumes that the player of the protocol does not deviate from
the protocol, the adversary is not a player and the adversary’s capabilities
are modeled by various queries.
Recently, in Asiacrypt 2004, Kim et al. proposed an efficient provably
secure authenticated group key exchange (AGKE) scheme with constant
round [Kim et al. (2004a)]. The paper discusses an authenticated group
key exchange scheme for settings of ad-hoc networks where the group mem-
bership is highly dynamic and no central trusted party exists. According
to the authors, most of the proposed schemes so far for AGKE have the
number of rounds linear with respect to the number of members in the
group. Hence, the schemes are neither scalable nor practical and are highly
inefficient. The proposed scheme in the paper achieves AGKE in constant
number of rounds (2 rounds for group operations like setup, join and leave)
and is contributory and efficient. Each user executes at most three modular
exponentiations and O(n) XOR operations. For authentication, each group
member generates 2 signatures and performs 2n signature verifications.
Si = {N, i, s1,1 (i, i), . . . , sm,1 (i, i), s1,2 (i, i), . . . ,
ability cannot pass across the boundary of windows, e.g. the end sessions
in a window can not be used to recover the lost session key of the front
sessions in the following window. In addition, at the beginning of each
window, a system set up (which is complicated) needs to be done. In this
sliding window scheme, any session has its own window and a session is the
center of its window. Adjacent windows are heavily overlapped. The lost
key of a session can be recovered from its previous and following sessions
as long as these sessions are within the δ range. Also the expensive set up
at the beginning of each window is eliminated. Finally, the scheme also
improves Staddon’s scheme [Staddon et al. (2002)] with reduction of the
broadcast size and personal key sizes.
The scheme proposed in [Zhu et al. (2003)] uses the Subset Difference
Rekeying method (SDR), is a separate class of self-healing key management
schemes, and does not involve polynomials. SDR is based on the binary
key tree key management scheme (i.e. LKH) (see Section 2.2.1.1) and
its principle is as follows. The group manager maintains a binary key
tree that contains all the users as leaves. Each group member receives
from the group manager the subset cover keys of all possible subsets that
the member might belong to. The binary tree is chosen large enough to
accommodate the largest possible number of users. The group manager
partitions the current group members into a minimum number of subsets
during a rekeying operation. The group manager then encrypts the new
group key with the common key of each subset separately. Therefore, the
group member who belongs to one of these subsets and has the key of one of
these subsets can decrypt the new group key. The self-healing capability is
added to SDR as follows. Let T (i) be the current rekeying time, and K(i)
is the new group key to be distributed. A simple method that enables a
current member to recover the previous m group keys, i.e., K(i − m), K(i −
m + 1), . . . , K(i − 2), K(i − 1), is to encrypt these m keys with the current
group key K(i) individually and broadcast them to the group. Hence, when
a user receives K(i) reliably, it will be able to recover the previous m keys.
Moreover, it is necessary to bind the time at which a user joined the group
with its ability to recover a previous group key. This means, a user should
only be allowed to recover the group keys that were used after he joined the
group (but not the keys before he joined the group). To achieve this goal,
the group manager encrypts each group key, K(i − j), 1 ≤ j ≤ m with a
key that is derived by XORing the current group key K(i) with the group
key K(j − 1) (i.e. the previous group key).
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
2.3.4.1 BF-TGDH
We discuss the following Block-Free TGDH mechanism (BF-TGDH) which
is based on TGDH (See section 2.2.3.1): (1) the front-end key is the
root key in TDGH and (2) the back-end keys are computed in an iden-
tical way to the root key as follows. Suppose the root key is de-
noted as RK(a1 · · · ai · · · an ) where a1 , · · · , ai , · · · , an (correspondingly b1 =
g a1 , · · · , bi = g ai , · · · , bn = g an ) are private shares (correspondingly dis-
guised public shares) of U1 , · · · , Ui , · · · , Un respectively. Imagine there are
n dummy members D1 , · · · , Di , · · · , Dn and corresponding n dummy pri-
vate shares d1 , · · · , di , · · · , dn . The members can compute a back-end key,
called dummy root key and denoted as DRKi (a1 · · · di · · · an ) (i = 1, · · · , n),
in parallel with the computation of the root key RK(a1 · · · ai · · · an ). In
DRKi , the private share ai is replaced by dummy private share di . There-
fore, DRKi can be computed by all members except Ui .
Suppose that every member Ui has a permanent Diffie-Hellman private
share ai and disguised public share bi . Moreover suppose that there is an
1 The join operation is generally much easier and more efficient to perform than the
leave operation.
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
a3 g a1a2 a6 ga4a5
U1:(a1d2a3a4a5a6) <0,0> gg g U6:(d1a2a3a4a5a6)
(a1a2d3a4a5a6) (a1d2a3a4a5a6)
(a1a2a3d4a5a6) (a1a2d3a4a5a6)
(a1a2a3a4d5a6) (a1a2a3d4a5a6)
(a1a2a3a4a5d6) (a1a2a3a4d5a6)
U2,U3,U4,U5
Fig. 2.10 Block-Free Tree-based Group Diffie-Hellman key agreement for seamless SGC.
a4 ga5 a6 d4 ga5 a6
ing g g ), (a1 a2 a3 d4 a5 a6 ) (when receiving g g ), (a1 a2 a3 a4 d5 a6 )
d5 a6 a4 ga5 d6
ga4 g
(when receiving g ), and (a1 a2 a3 a4 a5 d6 ) (when receiving g g ).
As in TGDH, each leaf node < l, v > is associated with a member
Ui . Moreover, < l, v > is imagined to be associated with a dummy
member Di . As in TGDH, the group members compute the root key
RK(a1 · · · an ), where a1 , · · · , an are permanent private shares of group
members U1 , · · · , Un . Moreover, every member Ui can compute dummy
root keys DRKj (a1 · · · dj · · · an ), j = 1, · · · , i-1,i + 1, · · · , n in parallel with
the computation of the root key RK with a little computation cost but
no extra communication cost. For secure group communication, all group
members pass the root key RK through the public one-way function P OF
to get the Data Encryption Key (DEK), i.e., DEK = P OF (RK(a1 · · · an ))
and then encrypt the message with DEK. Moreover, when a member
broadcasts a message, it will sign the message using ElGamal signature
protocol. All other members can authenticate the sender.
When a member joins the group, the member will broadcast a join
request. After receiving the join request, every group member will pass
the current DEK through the one-way function to get the new DEK
(=P OF (DEK)), and use the new DEK to encrypt and decrypt the mes-
sages without any interruption. The sponsor of the joining member is
responsible for sending the new DEK to the joining member. Before send-
ing the new DEK, the sponsor encrypts it with the Diffie-Hellman key
between him/her and the joining member. As a result, the joining member
can participate in the group communication immediately. During the data
communication, the sponsor of the joining member will compute, in the
background, the secret keys/dummy secret keys and blinded keys/dummy
blinded keys on the path from his/her leaf node to the root node, and
broadcast the blinded keys/dummy blinded keys to the group by append-
ing the blinded keys/dummy blinded keys to out-going messages or a sep-
arate packet if there are no out-going messages. All the group members
will compute the new root key and new dummy root keys after they re-
ceive the blinded keys/dummy blinded keys from the sponsor. The sponsor
also sends blinded keys and dummy blinded keys, specifically, those keys
corresponding to the nodes along the path from the joining member to
the root, to the joining member so that the joining member can compute
the new root key and new dummy root keys. Once a group member com-
putes the new root key (and new dummy root keys), it computes the new
DEK = P OF (RK(a1 · · · an )) and uses the new DEK for communication
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
(it is possible for him/her to use the old DEK to decrypt some messages
encrypted with the old DEK for a while2 ).
When a member Ui leaves, after receiving the departure request, all
remaining members will use the dummy root key DRKi to get the new
DEK (i.e., DEK = P OF (DRKi )) and use the new DEK to continue
the communication without interruption. However, the leaving member Ui
cannot decrypt these messages because its share is not in DRKi . During
the communication, the sponsor of the leaving member will recompute the
secret keys/dummy secret keys and blinded keys/dummy blinded keys along
the path from him/her to the root and broadcast all blinded keys/dummy
blinded keys by appending them to out-going messages.
When multiple members join at the same time, all members will pass
the current DEK through the one-way function to get the new DEK and
use the new DEK to communicate. There will be multiple sponsors in gen-
eral and a member may be the sponsor for several joining members. Each
sponsor will encrypt the new DEK using the Diffie-Hellman key between
him/herself and one of his/her joining members and send the DEK to the
joining member. The joining members can participate in the communica-
tion immediately. During communication, the new root key and dummy
root keys will be reestablished.
When multiple members (say, three) leave at the same time (suppose
the members are U1 , U4 , U6 ), all remaining members will get the new
DEK as follows: multiply the three dummy root keys to get the product
P DRK = DRK1 × DRK4 × DRK6 and then pass the product P DRK
through the one-way function to get the new DEK. Since any leaving
member will have one dummy root key missing, he/she cannot compute the
new DEK. After the new DEK is computed, the group communication
continues and the leaving members are excluded. During the process of
communication, the sponsors will reestablish the new root key and dummy
root keys. Note that if two leaving members collude, they have all dummy
root keys for computing the new DEK, so BF-TGDH is not resistant to the
collusion of leaving members who leave at the same time. However, this
success due to collusion will persist just for a short time. Once the new
root key and dummy root keys are reestablished, the leaving members are
excluded completely.
When multiple members join and leave at the same time, the new DEK
will be the one computed similar to the case of multiple leaves. This new
2 The version number of the DEK used in the encryption may be included in the
messages.
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
2.3.5.1 KTDCKM-SDC
We first present a scheme, called Key Tree based Distributed Confer-
ence Key Management for Secure Dynamic Conferencing (KTDCKM-
SDC) [Adusumili and Zou (2005)]. The scheme is based on the principle
of DGKD (See section 2.2.4). It manipulates the same binary key tree,
maintains the same sponsor fields, and distributes conference keys in two
multicast rounds. An initiator of a conference generates a random con-
ference key and distributes the conference key to the co-distributors in
the first round. Then the co-distributors distribute the conference key to
corresponding conference members in a distributed/parallel manner in the
second round.
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
(1) U first determines the keys which cover exactly these members.
(2) If there is only one key determined (i.e. all the conference members
are exactly covered under one subtree), the key will be used as the
conference key. Otherwise, the following steps are performed.
(3) U selects a random conference key CK.
(4) For each of the above determined keys, U determines its co-distributor,
which is the sponsor of the subtree rooted at the node corresponding
to this key.
(5) U encrypts CK with the public keys of co-distributors respectively and
multicasts the encrypted key.
(6) When a co-distributor receives the encrypted CK, it decrypts, reen-
crypts the CK with the key exactly covering the co-distributor and
some other conference members, and broadcasts (all the co-distributors
perform this step in a distributed/parallel way).
(7) The members covered by the key (thus, all the conference members
covered by all the above keys) will get the conference key CK.
k 0−7
(sponser : U 7 )
k 0−3 k 4−7
k k 6−7
k 2−3
k 4−5
0−1
pk 6 pk 7
pk 0 pk 1 pk 5 U6
pk 2 pk 3 pk 4 U7
U0 U3 U5
U1 U2 U4
Fig. 2.11 U0 initiates conference {U0 , U1 , U2 , U3 } and k0−3 is used as the conference
key CK.
Let us see two examples. In Figure 2.11, all the conference members
{U0 , U1 , U2 , U3 } are covered under key k0−3 . Thus, k0−3 is selected as the
conference key for this conference. In Figure 2.12, {U1 , U3 , · · · , U7 } are
covered by the keys pk1 , pk3 , and k4−7 . The sponsors corresponding to
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
k 0−7
(sponser : U 7 )
k 0−3 k 4−7
k
k k 2−3 k 4−5
6−7
0−1
pk 6 pk 7
pk 1 pk 5
pk 0 pk 2 pk 3 pk 4 U6
U5 U7
U0 U1 U2 U3 U4
Fig. 2.12 U1 initiates conference {U1 , U3 , · · · , U7 } and pk3 and pk7 are used to encrypt
the conference key CK. Then U7 encrypts CK with k4−7 .
(along with some public information) the member can compute any confer-
ence key the member can join later. The main problem with this scheme is
the exponential size of secret information.
ISDC [Gouda et al. (2002a,b)] is similar to KTSDC in the sense that
it is also based on the key tree scheme and also needs to determine the
keys in the key tree which cover exactly the conference members. However,
there are three main differences from KTSDC. One is that the GC in ISDC
relays all the conference messages, i.e., decrypting the message, encrypting
the messages (with (multiple) keys covering the conference members) and
sending the messages. This will make the GC very busy and become a
performance bottle-neck. The second difference is the way to determine
the keys which exactly cover all conference members. ISDC finishes this by
grouping the members into distinct intervals, then splitting each interval
into basic intervals. This is inefficient compared to the KTSDC algorithm
which computes the necessary keys directly without the concepts of intervals
or basic intervals. The third difference is that the computation of intervals
and basic intervals for every conference is performed by the GC, which
increases GC’s workload and worsens GC’s performance.
It is worthy to discuss the power of SGC key management schemes. As
mentioned previously, SDC and SGC have close relation: SGC is a specific
case of SDC or SDC is an extension of SGC. By nature, a SDC scheme
can be used directly for SGC. The only disadvantage of this utilization is
the waste of capability of a SDC scheme or to say, the unnecessary high
complexity. However, a SGC scheme is in general unable to be used for
SDC. For most existing SGC schemes, it is required that each conference
have a respective copy of the SGC key management scheme. Since there are
potentially exponential number of conferences, there would be exponential
number of copies of the SGC key management scheme. Thus, such kind
of utilization is generally infeasible. The very power of DGKD is that this
SGC scheme can be utilized for SDC in the identical and efficient way.
2.4 Conclusion
quite detail. The key management schemes have greatly improved over
time to become more efficient, scalable, practical and secure. SGC faces
some practical challenges which need to be addressed, in order to realize the
promise of taking collaborative computing applications to greater heights
in the era of trusted collaborative computing.
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
Chapter 3
59
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
levels and a user who has the access right to a resource at one level is auto-
matically granted access to the resources which are the resource’s children
or descendants at lower levels. A typical hierarchy has a partial order ≤,
where Ci ≤ Cj means that a user at Cj can access resources at Cj as well
as Ci . Cj is called an ancestor class of Ci whereas Ci is called a descendant
class of Cj . A typical hierarchy is represented by a directed acyclic graph
(DAG)3 (see Figure 3.4).
Traditionally, access control has been implemented using non-
cryptographic techniques. These techniques are typically classified as
the following categories [Sandhu and Samarati (1994); Tripunitara and
Li (2004)]: Discretionary access control (DAC) [Harrison et al. (1976);
Lampson (1974)], Mandatory access control (MAC) [Denning (1976)] and
Role-based access control (RBAC) [Al-Kahtani and Sandhu (2004); Fer-
raiolo et al. (2001); Moyer and Ahamad (2001); Park and Hwang (2003);
Sandhu et al. (1996)]. Some other (incremental or supplementary) access
control models have been also proposed, such as Task-Based Access Con-
trol (TBAC), Team-Based Access Control (TBAC), Spatial Access Control
(SAC) and Context-Aware Access Control (Context-AW) [Tolone et al.
(2005)]. We briefly summarize them in the following.
start when the system is being set up. Every subscription request will be
kept in an appropriate RL. Thus, m RLs will be created in a time interval
and maintained by the GC. These m RLs correspond to m conferences.
At the end of time interval, the GC will run the algorithm to determine
key indices of a conference (See Figure 3.2) for each RL. This algorithm
starts by sorting the IDs of users in a conference (RL). In the first pass,
pairs of users covered under the same node are identified and sorted in an
array. In the next pass, the algorithm checks if two pairs are covered under
one node. This continues until all the cover keys are identified.
root
0000 Root
L R
0001 0010
L R R
L
0100 0101
0110
0011
L R L R R
L R
L
1100
1001 1011 1101 1110
0111 1000 1010
u0 u1 u2 u3 u4 u5 u6 u7
To identify if two users are covered under one node, the indexing scheme
is helpful. If the first user’s index is even, this means that the user will not
share a key with any other user, since he/she is on a right branch. Thus,
that user’s index is put on the cover key list and the user’s key is one of
the cover keys. If the user’s index is odd, the next user’s index is checked
to see if they share the key. After the first pass, the same operations are
done but on pairs of users identified in the first pass. The next passes are
similar and they either identify pairs that share node keys or are separate
and, hence, cover keys. We can apply more optimization techniques here,
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
Algorithm 3.1.
/*RL: Resource List which stores members’ IDs in an ascending
order */
While (current member ID list is not empty) {
if (Current ID is even) {
Store Current ID (which is one key index needed)
Remove Current ID from current member ID list
Move Current ID to the next ID
} else {
if (N ext ID equals Current ID+1) {
Find P arent ID of Current ID
Replace Current ID by P arent ID
Remove N ext ID
Move Current ID to the next ID
} else {
Store Current ID (which is one key index needed)
Remove Current ID from current member ID list
Move Current ID to the next ID
}
}
}
Fig. 3.2 An efficient algorithm for determining the key indices for any RL.
such as if k RLs are identical, then the same REK can be used for all k
RLs.
For example, consider an e-newspaper offering 3 sections: sports, poli-
tics and stocks. Assume 8 members are registered with the GC and the GC
maintains a Key Tree as in Figure 3.1. If all the members subscribe to the
sports section (resource 1), then they are covered under the root key, hence
the REK for sports is the root key. If members m0 and m1 subscribe to
resource 2, i.e. politics, they will be put in RL2 . Now, members in RL2 are
also covered by a single key k3 which will be the REK for politics. Finally,
if members m3 , m6 , and m7 subscribe to stocks (resource 3), the GC will
find the cover keys k10 and k6 . The GC will generate a REK for resource
3 and send it using the cover keys.
The basic idea behind our scheme is the fact that user subscriptions
to a resource can be viewed as a special case of SDC. Although SDC was
proposed for a different domain, it can be used efficiently for the domain
October 27, 2007 1:39 World Scientific Book - 9in x 6in tcc
(1) A member subscribes to one or more new resources to which he has not
already subscribed.
(2) A member un-subscribes from one or more resources already sub-
scribed.
(3) A member changes from subscribed resources.
will not differ from the original cover keys, as most of the users will be
the same. This can be seen as a special case of some members leaving
and joining from an ordinary Key Tree. In the maintenance operations
described, it is assumed all the legal and technical formalities related to
subscription, un-subscription and changes are taken care of.
Now let us describe resource dynamics. There are also only three pos-
sible cases:
3.2.3 Discussion
We will discuss various performance and security issues of this DIF-AC
scheme in this section. We will discuss the best, worst, and average case
scenarios of finding the Resource Encryption Keys (REK ) for each resource,
followed by issues of scalability, number of keys and dynamics in terms of
user join/leave and resource addition and revocation.
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
The Best Case of finding REK s is when all the users in a RL are cov-
ered under one key. Then that key from the efficient key tree for SGC
becomes the REK. In the best case it is not required to construct a tree for
distributing the REK. The Worst Case of finding REK is when we have
n = 2 members in a RL in such a way that there is no shared key between
any two members.
In this case, the algorithm to find key cover returns n = 2 keys. In this
case, it may be more efficient to construct a separate key tree with all the
cover keys at leaf nodes and the REK at the root. In the average case,
we will have more than one and less than N avg = 2 keys. Where, N avg
is the average number of keys to be changed in the batch rekeying scheme
described in Chapter 3 of the book SGC over Data Networks [Zou et al.
(2004b)].
n
2l
h−1
m
Navg = 2 1 −
l .
l=0
n
m
where n is the total number of members in a key tree, h the height of the
tree, and m the number of the changed members. Navg gives the total
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
c0 c1
c3 c4 c5
c2
c6 c7 c8 c
9 c 10
(1) There is one trusted Central Authority (CA) who is responsible for
generating and distributing secret information for all nodes.
(2) There exists an underlying group key management mechanism which
supports how keys/secret information are distributed to nodes and their
users/resources in a secure manner (See Chapter 2).
Then for every vertex vi , the GC computes ti = vj ≤vi pj and makes all
the ti public. The root vertex v0 is assigned t0 = 1 (see Figure 3.5). Finally
the GC randomly selects a large random integer k0 as the key for the root
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
vertex. The GC computes the key for each vertex vi as ki = k0ti mod M .
Each vertex vi gets respective key ki over a secure channel.
v0 k
0
p0
v1 p.p .p
p1 k00 2 5 v2 p 0 . p1. p3
p2 k 0
v3 v4 p 0 . p1 . p . p . p v5 p0 . p . p . p . p
p 0 . p1 . p2 . p . p 2 3 5 k 1 2 3 4
p3 k 4 5 p4 k p 0
0 0 5
Due to the way ti are computed the following condition is satisfied: tj |ti
(i.e. ti is divisible by tj ) if and only if vi ≤ vj . As a result, if vi ≤ vj , then
vj can compute vi ’s key ki from kj as follows: kji j = (k0j )·ti /tj = k0ti = ki .
t /t t
v3 v4 v
k 33 5
k4 k5
r37
r48 r58 r59
r36 r47
v6 v v8 v
7 9
k6 k7 k8 k9
Every vertex vi selects its own independent key ki which is sent to the
GC securely. For all vi ≤ vj , the GC computes an rji as follows: rji =
f (kj , IDi ) ⊕ ki where f is a cryptographic hash function and IDi is the
identification of vi . All rji are made public. Using rji , vj can compute the
key ki of vi as follows: ki = f (kj , IDi ) ⊕ rji . However vi cannot compute kj
efficiently because of the one-way property of f . Thus, hierarchical access
control is enforced.
Let us briefly introduce the scheme proposed in [Shen and Chen (2002)]
here. The GC selects P as a large prime and g as a generator of ZP∗ . The
GC also selects secret bj and key kj for every vertex vj in the hierarchy.
Now, the GC computes Newton’s polynomial interpolation Ij (x) for vj by
interpolating at points: (IDi (g kj mod P ), bi ) for the relation vi ≤ vj .
1/b
The GC publishes Ij (x) and Qj = kj j mod P for every vertex vj . Now
a user at vertex vj can derive the key of any descendant vertex vi in two
steps: (1) Get bi = Ij (IDi (g kj mod P )); (2) Get ki = Qbi i mod P .
The security flaw existed in the above scheme and pointed out in [Hsu
and Wu (2003)] is as follows: if two classes have a same child class, one
can access the data of the other’s children who are not its children. For
example, looking at Figure 3.4, C2 and C4 have a shared class C7 . So point
(ID7 (g k2 mod P ), b7 ) is contained in I2 (x) and (ID7 (g k4 mod P ), b7 )
is contained in I4 (x). C2 can compute b7 . Then by setting I4 (x) = b7 and
solving its roots, C2 can obtain ID7 (g k4 mod P ). Thus, (g k4 mod P ) can
be found. As a result, C2 can obtain the keys of C4 ’s other children such
as C8 as b8 = I4 (ID8 (g k4 mod P )) and k8 = Qb88 . Similarly, C4 will be
able to access C2 ’s child C6 . The solution proposed in [Hsu and Wu (2003)]
is simple: using a public cryptographic hash function f to change the first
value of the points as f (IDi g kj mod P ).
Moreover, there is another security flaw, found in [Wang and Laih
(2005)] with the above schemes even including the improved scheme. For
example, consider any class Cj , all its descendants’ secrets are embedded in
Cj ’s public polynomial Ij (x), where these descendants’ secrets are located
at points only known to Cj . When some classes are added as or removed
from Cj ’s descendant classes, Ij (x) is updated to accommodate the change
of embedded secrets. But, for those descendants, which remain as descen-
dants of Cj , their secrets are still at the same points of the new updated
Ij (x). Consequently, if we generate a polynomial by taking the difference
(or to say GCD) of the old and the new Ij (x), we will obtain zeros at these
points in this generated polynomial. In particular, if there is just one de-
scendant which stays both before and after addition or deletion, its secret
will be disclosed immediately without using any root finding algorithm.
The solution to this problem is to integrate a random number z into the
points as (f (z IDi (g kj mod P )), bi ). z is changed in every polynomial.
The authors in [Das et al. (2005)] modified the above scheme simply as
follows: (1) instead publishing Ij (x), make it only known to its class Cj ;
and (2) remove bj and Qj and change points to (f (IDi kj ), ki ).
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
Many other schemes for HAC have appeared in literature. Some schemes
limit the HAC structure such as a tree [Atallah et al. (2005); Sandhu (1988)]
or a DAG with one root [Akl and Taylor (1983)]. Some schemes can com-
pute the keys of descendants in one step [Akl and Taylor (1983); Mackinnon
et al. (1985); Harn and Lin (1990); Chick and Tavares (1989); Santis et al.
(2004); Ray et al. (2002b); Santis et al. (2004); Hwang and Yang (2003);
Hwang (1999); He et al. (2003); Chang and Buehrer (1993)] and others need
to follow the path step by step from the node to its descendant [Atallah
et al. (2005, 2006); Chang et al. (2004); Chien and Jan (2003); Lin (2001);
Zhong (2002)].
Fig. 3.7 illustrates an access hierarchy and the key and edge values.
Each vertex represents a group of members formed from the first level.
k 0 = f ( k 0 , ID 0 )
0
k 1 = r 0 , 1 + f ( k 0 , ID 1 ) k 2 = r 0 , 2 + f ( k 0 , ID 0 )
r 0,1 r 0,2
k 2 = f ( k 2 , ID 2 )
1
2
k 4 = r 2,4 + f ( k2 , ID 4 )
k 1 = f ( k1 , ID 1 )
r r
2,3 2,4
4
3
k3 = r 2,3
+ k 2 , ID 3 )
k 3
= f ( k 3 , ID 3 ) k 4 = f ( k 4 , ID 3 )
Fig. 3.7 An example of access hierarchy and their key and edge values.
Now, the access control and dynamic key update are ready. Let us show
different operations.
• Key derivation: assume that vertex vj is a parent node of vertex vi , vj
can derive ki by using its own node key and public information as:
ki = rji + f (kj , IDi ) (3.3)
but vertex vi cannot compute kj because of the one-way feature of the
cryptographic hash function.
• Similarly, if vertex vj is an ancestor node of vertex vi , following the
path from vj to vi , vj can derive vi ’s key iteratively from its own key.
• When a vertex’s key needs to be updated, the update does not affect the
keys of other vertices but just the edge values of its adjacent vertices.
Assume vertex vj ’s key kj needs to be changed, a new IDj is picked
up and the new key kj is computed as kj = f (kˆj , IDj ). Then, for vj ’s
parent vertex vp (if any), rpj = kj − f (kp , IDj ) is computed as public
edge information. Similarly, the edge values to vj ’s child node vi (if
any) are updated.
• Adding and removing a vertex can be processed in a similar way. If
a new vertex vj needs to be added, we just pick up a new private key
kˆj and a new IDj and assign them to node vj . Then, we compute
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
and publicize the edge values to its parent vertices and child vertices.
Similarly, if an existing vertex vj needs to be removed, we delete all
edges adjacent to the vertex and then remove vj .
• Adding/deleting an edge: adding an edge means computing and publi-
cizing the edge value. As for deleting an edge, such as from vj to vi , if
there exists another path from vj to vi , nothing needs to be done, since
vj still can compute vi ’s key via other paths. But if this is the only
path from vj to vi , vj should not be able to compute vi ’s key (and all
vi ’s descendants’ keys) after deletion. This means that vi ’s key and all
vi ’s descendants’ keys need to be changed. This change can be done by
changing their public IDs only without regenerating or resending the
private keys.
The common feature of all existing schemes is that they proposed mech-
anisms about key update at the vertex level, but seldom provide the solution
to the key distribution at the user level, i.e. once a node key is changed,
how to distribute the changed node key to the users belonging to the node?
In the following, we propose a dual level key management which is able to
not only distribute the secret information to a group of users efficiently but
also deal with the node level HAC effectively.
3.4.1 Principle
The new scheme is based on polynomials over a finite field Fq [Lidl and
Niederreiter (1986)], in particular, a novel concept/construction of an access
polynomial (AP). Here q is a big prime as the system modulus and made
public. All arithmetic operations will be performed with mod q, which is
omitted for simplicity. The principle is as follows.
The GC selects a random t-degree polynomial h(x), called masking poly-
nomial, and keeps it secret (t > 0). Degree t determines the security of
polynomials, hence the GC can select a large t to ensure security against
collusion attacks. A large t will not significantly affect efficiency due to
the linear complexity of our scheme in terms of t. For every vertex vj in
the hierarchy, the GC selects a unique (secret) identification IDj ∈ Fq and
computes h(IDj ) and gives (IDj , h(IDj )) to vj securely (See Section 3.4.4
for the secure distribution using the same mechanism at the user level).
The GC also selects a key kj for every vertex vj .
Now, for every vertex vj , the GC constructs an access polynomial (AP)
Aj (x), using the ID of vj and IDs of all vj ’s ancestors vi as follows:
Aj (x) = (x − IDj ) × (x − IDi ) + 1
vj ≤vi
4 The access polynomial Aj (x) is just contained in Pj (x) but not Rj (x).
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
since
Pj (IDj ) = Aj (IDj ) ∗ Sj (IDj ) + h(IDj ) = 1 ∗ Sj (IDj ) + h(IDj ) =
Sj (IDj ) + h(IDj )
and Tj (IDj ) = Rj (IDj )−h(IDj ) first and setting kj = Sj (IDj )+Tj (IDj ).
An ancestor vi of vj can derive vj ’s key kj by computing Sj (IDi ) =
Pj (IDi ) − h(IDi ) since
Pj (IDi ) = Aj (IDi ) ∗ Sj (IDi ) + h(IDi ) = 1 ∗ Sj (IDi ) + h(IDi ) =
Sj (IDi ) + h(IDi )
and Tj (IDi ) = Rj (IDi ) − h(IDi ) first and setting kj = Sj (IDi ) + Tj (IDi ).
If a user with IDr who is not in vj or any of its ancestral nodes attempts
to get key kj , the user will end up with Sj (IDr )∗Aj (IDr )+Tj (IDr ), which
is a random value and is useless. As a result, correct hierarchical access
control is enforced. Next, we will discuss how the above AP scheme can
support dynamic operations.
• Adding a node as a leaf: The GC assigns the new leaf node a unique
IDnew , h(IDnew ) and key knew . The GC constructs Anew (x) includ-
ing IDnew and ancestral IDs of the new node, computes Pnew (x) and
Rnew (x), and makes them public. No other nodes are affected in any
way.
• Adding an intermediate node: The only change from the above case is
that all descendant nodes of the new node are affected. Each descen-
dant vj needs a new Aj (x) and hence new Pj (x) and Rj (x). Whether
a new key kj is needed depends on application requirements. If the
added node is allowed to access the previous key (thus the data) of its
descendants, the old key kj does not need to be changed. Otherwise, a
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
new key kj is needed. Since Pj (x) and Rj (x) are public, changing and
sending them to node vj (or multicasting them to the users of vj ) is
simple without any security complication.
• Deleting a leaf node: The GC can delete the node by simply discarding
all its public and private parameters. (The discarded IDs and h(ID)s
should be recorded somehow to prevent them from being re-used until
the system polynomial is refreshed.)
• Deleting an intermediate node: The GC discards all its public and
private parameters. No ancestor of the deleted node is affected in any
way. For every descendant vj of the deleted node, the GC changes key
kj and polynomials Aj (x), Pj (x), and Rj (x). For the descendants of the
deleted node, a policy is used to either place them as the descendants
of the parent (if any) of the deleted node or as the descendants of some
other nodes. We ignore the policy issue since it is irrelevant to our
discussion here.
• Adding an edge: Suppose an edge from vi to vj is added, the GC
recomputes Aj (x) with inclusion of IDs of vi and vi ’s ancestors who
were not the ancestors of vj , selects a new key kj , recomputes and
publicizes Pj (x) and Rj (x). At the same time, the GC performs this
for every descendant of vj which was previously not a descendant of vi .
• Deleting an edge: If an edge from vi to vj is deleted, the GC recomputes
Aj (x) with exclusion of IDs of vi and vi ’s ancestors who will not be
the ancestors of vj , selects a new key kj (if needed), recomputes and
publicizes Pj (x) and Rj (x). At the same time, the GC performs this
for every descendant of vj which will not be a descendant of vi from
now on.
• Moving a node: It is equivalent to a combination of deleting and adding
a node.
• Merging n nodes: It is equivalent to deleting n − 1 nodes and changing
key materials of one node.
• Splitting a node: It is equivalent to adding a few new nodes and chang-
ing key materials of one node.
when a user leaves from a vertex, all descendant node keys need to be
changed. Otherwise, the leaving user may store those keys and continue to
use them.
Let us consider a user’s departure at a vertex vi . The GC changes key
ki to ki , IDi to IDi , and h(IDi ) to h(IDi ). The GC recomputes Pi (x) and
Ri (x) according to the new ki . Thus the ancestors of vi are not affected in
any way. They can get vi ’s key using (new) public polynomials Pi (x) and
Ri (x) just as they did before. For every descendant vj of vi , key kj needs
to be changed to kj . The GC recomputes Aj (x) using the new IDi and
computes and makes public the new Pj (x) and Rj (x).
It should be pointed out that once a node’s ID is changed, the new
ID (and its corresponding h(ID)) needs to be distributed to all its users
securely. One elegant feature of our AP mechanism is that the scheme
itself can be used to distribute ID and h(ID) efficiently. As mentioned
previously, every user in the system will be assigned a permanent personal
secret identification SID and a corresponding H(SID) (note: H(x) is a
masking polynomial at user level and multiple H(x)s can be selected/used,
one for each node). Then the GC constructs an AP A(x) which contains
SIDs of all the users belonging to the node and computes and publicizes
two pairs of polynomials
{P1 (x) = A(x) ∗ S1 (x) + H(x), R1 (x) = T1 (x) + H(x)} and
{P2 (x) = A(x) ∗ S2 (x) + H(x), R2 (x) = T2 (x) + H(x)}
where ID = S1 (x) + T1 (x) and h(ID) = S2 (x) + T2 (x). Thus, the users of
the node can obtain ID and h(ID) securely.
for the complexity of the scheme, it mainly comes from computing polyno-
mials Pj (x) and Rj (x). Pj (x) has degree m + t and Rj (x) has degree t, so
the complexity is in the order of m + t. This linear complexity makes the
scheme efficient and allows a larger t to be used. We will discuss them in
detail next.
void. Furthermore, even though IDi were figured out, the attacker would
still need to figure out h(IDi ).
Let us consider collusion attacks now. The typical collusion is that
two (or more) vertices try to attack their common ancestor. Assume two
users a and b from two vertices with (IDa , h(IDa )) and (IDb , h(IDb ))
collude to attack their common ancestor vj for getting key kj or IDj . Since
Pj (x) contains neither IDa nor IDb , their collusion for getting kj or IDj
from Pj (x) is no stronger than any of them individually. Secondly, let us
consider that they are trying to get IDj from Pa (x) and Pb (x) in which
IDj is contained. The values both users know are ten elements: IDa ,
IDb , Pa (IDa ), Pb (IDa ), Pa (IDb ), Pb (IDb ), Sa (IDa ), Sb (IDb ), h(IDa ),
and h(IDb ). Since Pa (x) = Sa (x) ∗ Aa (x) + h(x), which requires that x be
substituted with the same value in all four polynomials Pa (x), Sa (x), Aa (x),
and h(x), it is impossible for the two users to mix these ten known values
to form informative equations. For example, the two users cannot form
an equation Pa (IDb ) = Sa (IDa ) ∗ Aa (x) + h(IDb ) from Pa (x). Thus,
they cannot get information about Aa (x) and hence IDj . As a result,
this security against collusion aiming at obtaining kj or IDj is achieved
by binding the same x between Sj (x) and Tj (x) and among Pj (x), Sj (x),
Aj (x) and h(x).
The degree of a polynomial decides its collusion resistance. h(x) is of
degree t and so are Sj (x) and Tj (x). Thus, the proposed scheme can resist
the collusion of up to t users. Since Sj (x) and Tj (x) are always changing,
it is difficult and also useless for malicious users to collude to recover Sj (x)
or Tj (x). Thus, the collusion attack will aim at h(x). Since every user has
an ID and h(ID), more than t users can figure out the entire h(x) using
polynomial interpolation. In addition, it is possible for less than t + 1 users,
even one user, to figure out h(x). As stated before, when a user departs
from a vertex vi , the vertex’s IDi and h(IDi ) need to be changed. If there
are more than t − 1 times of user leaves from a vertex vi , a user who stays
always at vertex vi will obtain at least t new pairs of (IDi , h(IDi )) and, plus
its original (IDi , h(IDi )), is able to interpolate h(x). To solve this problem,
we can do as follows: (1) selecting larger t and (2) refreshing h(x) once the
number of ID changes reaches t − 1. Thanks to the efficiency of our scheme,
which allows a larger t to be selected, and thanks to the uniform feature of
our scheme, which allows the refreshed ID and h(ID) to be securely and
efficiently distributed to users using the scheme itself, the problem can be
solved without much difficulty. In addition, it is a good practice to refresh
h(x) periodically. How often to refresh h(x) is an important issue which
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
dated (due to the dynamics), Pj (x) and Rj (x) need to be publicized (or
broadcast), which again is O(t + m) and independent from n.
The complexities of the new scheme are summarized in Table 3.1. As
a result, the complexities of our scheme is completely independent from n
and thus, the new scheme is very efficient and scalable.
N0
N3
N2
N6
N4
N 5
{ U0 , U1 U2 ,U3 , U4 }
Suppose the access hierarchy is as Figure 3.8 and let t = 10 and q = 251.
We will consider both node level operations and user level operations. Sup-
pose the masking polynomial is:
h(x) = 96x10 + 67x9 + 191x8 + 164x7 + 41x6 + 229x5 + 234x4 + 150x3 +
205x2 + 54x + 61
and the secret node IDs and their corresponding h(ID) for nodes
N0 , N1 , · · · , N6 are:
(ID0 = 85, h(ID0 ) = 136), (ID1 = 119, h(ID1 ) = 122), (ID2 =
145, h(ID2 ) = 177), (ID3 = 30, h(ID3 ) = 57), (ID4 = 186, h(ID4) =
3), (ID5 = 160, h(ID5) = 18), (ID6 = 225, h(ID6 ) = 88).
Let us first consider node level key distribution and key derivation using
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
From these SIDs, the access polynomial at the user level can be formed
as:
number of users and the degree of polynomial h(x) are important factors
affecting the performance of the scheme. Two main operations we consid-
ered are: (1) hiding the key via generating P (x) and R(x) (of course, which
requires generating S(x) and T (x)); (2) extracting the key. The program
was run on a Dell Laptop computer with 1.8GHz CPU and 1.0G RAM.
For obtaining stable running times, we ran each test case 100 times and
averaged the running times. The results are shown in Figures 3.9 to 3.12.
From the figures, it can be seen that the running times for computing
P (x) and R(x) to hide the secret key and for deriving the key from P (x) and
R(x) are linear to both m and t. This validates the theoretical analysis in
the previous section and proves that the scheme is computationally efficient.
Large m indicates that the proposed scheme scales well to admit large group
sizes or large number of ancestors and large t indicates that the scheme is
able to defend collusion of large populations of malicious users.
220000
hiding key: 256 degree
200000 hiding key: 128 degree
180000
160000
Running time (in microsecconds)
140000
120000
100000
80000
60000
40000
20000
0
0 100 200 300 400 500 600 700 800 900 1000 1100
Numbers of Users
Fig. 3.9 Running times for hidding key: based on number of users.
3.4.7 Discussion
In this section, we will summarize the major properties of the proposed
scheme.
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
200000
150000
Running time (in microsecconds)
100000
50000
0
50 100 150 200 250
Degrees of polynomial h(x)
Fig. 3.10 Running times for hidding key: based on the polynomial degree.
• A good solution must be generic in the sense that it should have no re-
strictions on the hierarchy. The proposed scheme can be easily applied
to any DAG, even those that have multiple roots.
• The best feature of the proposed scheme is the way in which it deals
with user and node level dynamics in a uniform manner. All the cryp-
tography based HAC schemes, including the newest one [Atallah et al.
(2005)] so far, lack this capability.
• The Proposed scheme is scalable and does not limit the number of
vertices or levels in the hierarchy. It can work well with a large number
of vertices without loss of efficiency.
• Unlike many other schemes which derive keys via an iterative chain,
the proposed scheme derives all keys directly.
• In most other HAC schemes including the most recent one [Atallah et al.
(2005)], every vertex must know both its descendants and the exact hi-
erarchical relation among these descendants, because these schemes de-
rive their descendants’ keys via an iterative derivation chain. However,
the proposed scheme does not need to know the hierarchical relation of
a node’s descendants.
• The Proposed scheme is very efficient in terms of time and space com-
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
9000
7000
Running time (in microsecconds)
6000
5000
4000
3000
2000
0 100 200 300 400 500 600 700 800 900 1000 1100
Numbers of Users
Fig. 3.11 Running times for extracting key: based on number of users.
plexity. Every node has just 3 secrets: its ID, h(ID) and the key. All
the other information is public. The computational and communication
complexity is O(t + m), which is far better than most of the existing
schemes.
• The Proposed scheme does not have a problem from revoked members.
Our scheme is truly dynamic and efficient.
• The Proposed scheme is very secure. Although most of the key deriva-
tion parameters are public, no one can derive keys unless they are
allowed to. The degree of polynomials is assumed to be t which can
be very large. Even with a large t, efficiency is better than any other
t-secure scheme.
How large should t be? In general, t is applications dependent. In
addition, collusion itself is not an easy task and the collusion of more
than two users may be easily disclosed by the colluding users them-
selves. From the experiment, when t is 256, the times for hiding key
and extracting key for a size of 1024 users are just 0.2 seconds and
0.008 seconds.
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
10000
9000
extract key: 1024 users
extract key: 512 users
8000
Running time (in microsecconds)
7000
6000
5000
4000
3000
2000
1000
Fig. 3.12 Running times for extracting key: based on the polynomial degree.
3.5 Conclusion
Enforcing correct and secure access to resources becomes more and more im-
portant and difficult in collaborative computing. The cryptography based
access control technology is a good fit for the access control problem in such
collaborative computing environments. Besides presenting an introduction
to the cryptography based access control principles and summarizing typical
existing hierarchical access control schemes, this chapter offered a Differen-
tial Access Control scheme (based on the key tree scheme and the secure
dynamic conferencing principle) and a uniform hierarchical access control
scheme (based on access polynomial). The security and performance anal-
yses and experimental results were presented for both schemes.
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
Chapter 4
1
Intruding attacks are serious problems associated with networked systems.
Intruders attempt to break into a system to gain unauthorized access, mis-
use, and abuse the computer and networked system. The purpose of in-
trusion detection is to identify those intrusions of various kinds. After
detecting the intrusions, the next step is to trace the location(s) of the
intruders. Then, the follow-up warning and protection can be processed
(such as blacklist, isolation, blocking etc.).
The intrusion detection problem is an inherent issue and becoming a
more challenging task in CC environments, since CC environments are typ-
ically networked systems. Moreover, not only can there exist attacks from
external attackers but malicious internal users in CC systems may also
launch attacks. Thus, the book contributes this chapter for discussing in-
trusion detection and defense mechanisms.
Some main types of intrusions include Attempted break-ins, Masquer-
ade attacks, Penetration of the security control system, Leakage, Denial of
service, etc. [Denning (1987)]. The models to detect these intrusions can be
classified as three categories [Bishop (2003)]: Misuse modeling, Anomaly
modeling and Specification modeling. Many intrusion detection systems
(IDS), including distributed intrusion detection systems (DIDS), have been
proposed [Guangchun et al. (2003); Koutepas et al. (2004); Stillerman et al.
(1999); Zhicai et al. (2004); Zhang et al. (2003)].
Among various intruding attacks, DoS (and Distributed DoS) attacks
1 This
chapter is mostly contributed by Scott Orr who is the Lead Network Engineer
and Leah Cardaci who is a graduate student of Computer and Information Science
Department at IUPUI.
95
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
are the most dangerous ones because such attacks are easy to launch by
attackers but hard to defend from the server or victim. Some defending
approaches include single-node defending methods [Bencsath and Vajda
(2004); Jin et al. (2003b); Tanachaiwiwat and Hwang (2003)], multiple-
node defending methods [Zhang and Dasgupta (2003)], and honeypot tech-
nology [Krawetz (2004); Spitzner (2003)].
In order to locate the intruders, two common traceback strategies have
been proposed: the first type relies much on the routers in the network to
send their identities to the destinations of certain packets, either encoding
this information directly in rarely used bits of the IP header, or by gener-
ating a new packet to the same destination. The second type of solutions
involves centralized management and logging of packet information on the
network.
Intrusion detection and traceback systems themselves can be the (first)
targets of attacks by intruders. Hence, they should be implemented to be
secure and robust against attacks. Recently, a new powerful architecture
for defending DoD/DDoS attacks, called Secure Overlay Service (SOS), was
proposed [Keromytis et al. (2004)]. SOS hides the target server behind an
overlay network and the client requests cannot go to the target server di-
rectly; instead, they must go to SOAPs (Secure Overlay Access Point) first,
the edge of the overlay network, pass through several protecting/filtering
layers, and finally arrive at the target server (if they pass all checks).
Thus, this chapter summarizes and classifies typical intruding attacks,
typical intrusion detection modelings and traceback mechanisms. It further
focuses on DoS (DDoS) attacks and their defending techniques. Finally,
the chapter discusses some new DoS/DDoS resistant architectures, such as
SOS.
attacks. A false positive occurs when the IDS identifies benign activity as
an attack. A false negative occurs when the IDS fails to recognize an attack
as objectionable activity. Each type of alarm errors has its own associated
problems. The problem with the false negative is straightforward: an attack
has gone through undetected, so the IDS has failed in its purpose. A
false positive, while it does not involve a successful attack, also harms the
operation of the system. It undermines the effectiveness of the IDS, as the
impact of an alarm being generated is lessened as more false alarms are
encountered. The different models used typically tend towards one type of
error over the other, although, technically, each model could see either type
of error.
From the architecture point view of IDS systems, two classes of modeling
can be identified: Host based IDS (HIDS) and Network based IDS (NIDS).
The original IDS models were host-based. That is, each IDS agent involved
looked at the records generated by one or most hosts. Typical host-based
records include system logs or application logs, and provide only a view
of what is happening on one system. The IDS may look at a variety of
activity such as system calls, file access, login information, and other host-
based activity. In NIDS, the IDS agents look at all of the network traffic
visible from their locations. Depending on the topology of the network,
multiple agents may be needed to be able to see all of the traffic for the
area which is supposed to be monitored. NIDS can gather information
on the general nature of the traffic, or even examine the contents of the
traffic. One future challenge for the latter approach may be the increase
in encryption of network traffic, which will prevent the contents of packets
from being readable. The first NIDS system was Network Security Monitor
(NSM) [Heberlein et al. (1990)].
Of course, both types of IDSs have certain advantages and the ability to
see certain types of attacks, which may be difficult or even impossible for
the other to see. Clearly, it is easier for NIDS to see network based attacks,
such as DoS/DDoS attacks and port scanning. In contrast, an HIDS is more
likely to catch insider attacks, as such attacks may not generate any network
traffic and therefore will not be visible to an NIDS. For this reason, some
IDSs combine the two types to provide more thorough monitoring [Bishop
(2003)].
The above models are, for the most part, centralized ones and have
certain disadvantages. So, Distributed IDS (DIDS) models are proposed.
In DIDS, monitoring of hosts, recording of audit data, and processing
of data are performed in a distributed manner [Snapp et al. (1991)].
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
Some typical DIDS systems are Autonomous Agents For Intrusion De-
tection (AAFID) [Balasubramaniyan et al. (1998)] and its enhancement–
Cooperative Itinerant Agent (CIA) [Pez et al. (2006)], a distributed in-
trusion detection system using mobile agents (DIDMA) [Kannadiga and
Zulkernine (2005)], and Fault-tolerant Grid Intrusion Detection System
(FGIDS) [Leu et al. (2006)].
Before going into detail, we introduce some related issues here.
tion, they could extract the relevant information to see the signature of an
attack.
(1) Preparation. This is the first step and it plans and prepares for attacks.
This step should occur even before any attacks are detected. It estab-
lishes rules, procedures and mechanisms for (detecting and) responding
to attacks.
(2) Identification. This step tries to track and locate the attack source once
an intrusion is detected. It will trigger the rest of steps. This may be
one of the most challenging tasks in intrusion response. Section 4.7 will
discuss traceback in detail.
(3) Containment. This step confines the attack by limiting the access of
the attacker to the system and reducing the protection domain of the
attacker as much as possible. To do so, the response engine must closely
monitor the attack and constrain the attacker’s actions. The former is
passive and easy to do, but the latter is considerably more difficult. One
typical technique is to use a honeypot [Spitzner (2003)]. When an IDS
detects an attack, it takes actions to shift the attacker to a honeypot.
The honeypot will isolate the attacker and the intruded system can
recover and function normally.
(4) Eradication. Eradicating an attack means to stop the attack and block
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
Among all intruding attacks, the Denial of Service (DoS) attack (along with
its distributed form DDoS) is the most serious one, because such an attack is
easy to launch but almost impossible to defend against. In fact, the victim
may not initially realize that they are under attack and attribute access
issues to network failures. In this subsection, we will discuss DoS/DDoS
attacks in detail.
(1) Mail Bombing. Mail bombing was one of the earliest forms of the attack
against UNIX systems. All the attacker does is continually sending
large emails to a system which supports SMTP connections. The same
disk partition used to store incoming email messages was often the
same one used by parts of the operating system to store temporary
files. Should the partition fill up entirely, the system typically would
crash. One advantage from the victim’s point of view is that it is
generally easy to determine where the attack originated. Even if the
sender email address was forged, the message envelope contained the
entire delivery history to include the attacker’s IP address.
(2) Service Flooding. While the goal of mail bombing attacks is to de-
plete available disk space, other attacks focus on using all a computer’s
memory resources or to fully utilize the CPU so that no other programs
can run. Most network daemons listen for incoming network service re-
quests and each time one is received, the daemon forks a copy of itself
to provide the desired information. Once that information has been
transmitted, the forked copy terminates. The system has no way to
determine whether the requests are legitimate; it simply answers each
one. Knowing this, the attacker sends a continuous stream of requests
to a particular service (e.g. HTTP). The victim cannot keep up with
the flood of requests resulting in diminishing system performance and
possibly application crashes.
This form of attack is not always intentional. Errors during the de-
velopment of network client programs can have the same effect. One
personal example occurred in the mid 1990s. A general purpose SunOS
server running the finger daemon (an early user directory service) re-
ceived a flood of requests from entry level Computer Science students
learning how to fork processes. The assignment instructed them to use
the finger client to connect to this system. In a matter of minutes, the
server was unable to run any new programs.
(3) SYN Flooding. SYN floods are one of the most famous types of attacks
and takes advantage of the basic design of TCP/IP communication.
Each packet sent to a remote system includes a sequence number to
uniquely identify itself. The sender then increments this number before
sending the next packet. The recipient collects these packets and uses
the sequence numbers to make sure the packets are processed in the
proper order. Should one or more packets fail to be received within
a preset time period or errors be found in the received packets, the
recipient will request, by sequence number, that the sender retransmit
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
these packets. To make this model work, a client and server must
first exchange initial sequence numbers. This is known as the SYN-
Handshake. The client sends a SYN packet to the server requesting
a new channel be created and includes an initial sequence number.
The server acknowledges that it received the client’s sequence number
by sending a SYN-ACK packet and includes its own initial sequence
number. Once the client acknowledges it received this information via
an ACK packet, the actual service request can be sent.
In a SYN Flooding attack, the attacker sends a SYN packet to the
target but never acknowledges the receipt of the target’s SYN-ACK
packets. The target must keep these “half-open” connections active
for a set period before assuming a failure occurred and closing the
port. Meanwhile, the attacker sends more SYN packets at a rate much
faster than the failed connections are torn down. Eventually, the server
can no longer receive any new communication requests from anyone.
Of course, if the attacker uses his own IP address, the attack can be
stopped fairly quickly by blocking that address at the server level, net-
work border router, or firewall. To bypass this check, the attacker
often randomly spoofs the sender address in the SYN packets. Doing
so makes it impossible for the victim to determine which connection re-
quests are legitimate and which are part of an attack [Costa-Requena
(2001)].
(4) Land Attack. The Land attack is an interesting variation on SYN
Floods. For SYN Floods to be effective, the attacker must continue to
send SYN packets to the victim. Even with IP spoofing, the attacker’s
Internet Service Provider (ISP) may notice the increased volume of net-
work traffic and block the attacker’s connection. To reduce the number
of packets the attacker must send, he spoofs the source IP address to
match the destination of one of the victims. Now, the victim’s system
continually answered its own SYN packets until it eventually crashes.
This vulnerability was first discovered in 1997 but recently the prob-
lem resurfaced in Microsoft Windows Server 2003 and XP SP2 [Kenney
(1996)].
(5) Fraggle Attack. All the previous flood attacks have relied on TCP/IP
packets which are connection oriented. In order for the attack to be
launched, the victim’s system must have some service listening on a
particular port. UDP, on the other hand, is a connectionless protocol
which does not require the session to be set up first, nor has the over-
head required to make sure all packets are processed properly. When a
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
The advantages of such an attack are two fold. Because the actual
packets sent by the attacker are not received by the victim, it is more
difficult to track the attack to its origin. The network also serves as an
attack amplifier: one ICMP Echo Request may result in hundreds of
reply packets directed at the victim [Patrikakis et al. (2004)].
(3) Chargen Attacks. Chargen attacks [Specht and Lee (2004)] are a
variation of the Fraggle one discussed in section 4.5.1.1. by taking
advantage of the chargen service. Chargen is a special service bound
to port 19 that was traditionally used to test network capacity. When
a connection was made to this port, it would respond with a string of
characters. While not used often anymore, many systems still include
it as part of the operating system.
To launch this sort of attack, the attacker first searches for systems with
the chargen service active. He then sends UDP Echo Request packets
to port 19 after spoofing the source IP address as that of the victim.
The intermediate host would respond with a character string to the
Echo service port of the victim. As per the protocol, the victim would
respond with that string. This sets up an endless loop until the victim
system fails. Often one system is not enough to guarantee failure of
the victim, so a number of intermediate systems may be used, just as
with the Smurf Attack described previously [Costa-Requena (2001)].
to become slaves are usually those on networks with large amounts of band-
width. The remaining ones run the master control program. The purpose
of the master stations is to control the slaves. When slaves are created,
they communicate with the master systems and receive commands (e.g.
attack target or shutdown) from them. The attacker only communicates
with the master stations. The whole system (sometimes referred to as a
botnet) becomes a three tier structure providing the attacker added protec-
tion from discovery. A variation of this, known as a Distributed Reflective
Denial of Service (DRDoS), describes situations when slaves send packets
to networks vulnerable to launching Smurf or Chargen attacks. In these
cases, there are four tiers between the attacker and the victim.
others pull the source from a centralized server. After the software
is installed, it makes contact with the master station and may even
conduct probing operations on its own.
(2) Command and Control. With the DDoS software in place, the com-
munication network needs to be established. Early versions of these
tools would make use of the master stations to relay commands from
the attacker to the slaves. The transmissions themselves were initially
in plaintext, but later the tool authors added encryption. The reason
for the added security features was this. When messages were passed
in plaintext, it would be easy for anyone to intercept and third par-
ties (including defenders) could forge their own commands to hijack or
shut down entire botnets. In fact, this was a common occurrence when
groups fought for control of various Internet Relay Chat (IRC) servers
and social networks.
Encryption was not only used for communication but also to protect
data stored on slave and master nodes. When a slave was activated, it
needed to contact a master system to get further instructions, The only
way early clients knew who to contact was via a file installed with the
software that listed all the master station addresses. Of course, should
that slave system be discovered, that file could then be used to identify
other nodes that were part of the botnet. At that point, the attacker
would lose control of everything he had built. By encrypting these files,
the possibility of the entire botnet being compromised was lessened.
Even with encryption, botnets were susceptible to traffic analysis . In-
vestigators could then use this information to find and shutdown mas-
ters and slave nodes. With a little luck, they might also be able to track
down the attacker. So the attacker could avoid these problems, later
DDoS tools started getting way from direct communication between
masters and slaves and instead used IRC servers to exchange messages.
IRC networks were an early real time chat network loosely modeled
after Radio Frequency Citizens Band (CB) communication networks
commonly used by the police and delivery truck drivers. In the case of
IRC, a group of servers would form a virtual environment that might
have hundreds or thousands of channels that users could join. Mes-
sages sent to these channels were viewable by everyone who had joined
them, regardless of which server they initially connected to. Optionally,
private messages could be sent between individual users.
DDoS botnets made use of this by creating their own channel on a
IRC networks or created their own IRC server using a non-standard
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
port on one node within the botnet. Masters and slaves would then
join the IRC network and channel as specified in the DDoS software.
Any message sent to the channel can be processed by any node. New
masters could also be added to the botnet at any time. Should any
node be discovered, forensic analysis or reverse engineering would not
reveal the addresses of the master stations, only the channel being used
and changing channels (or networks) would just be a matter of sending
one command via the original channel.
(3) Attacks. For the most part, botnets remain dormant. As new nodes
are added, they exchange information with master stations, but then
they just wait until needed. The demands they place on the host sys-
tems is negligible, so end users are unaware that their system has been
compromised. It isn’t until the command comes that they begin to
launch their attack.
Most DDoS slaves will utilize a number of the DoS flood and redirection
attacks discussed in sections 4.5.1.1 and 4.5.1.2. The more they mix
attack types, the harder it is for the victim to determine legitimate
from attack traffic. Commands may also specify the duration of the
attack. For example, it could say to use a smurf attack for 15 minutes
then stop.
Not all attacks rely on communication channels to determine when to
launch their attacks. Some DDoS worms will hard code attack target
and time. Those, however, have a specific goal and afterward shutdown
or await a tool upgrade via a new version of the worm.
(1) Trinoo. This is one of the first tools to be discovered and created that
later tools followed. Communication between attacker/masters and
masters/slaves used dedicated ports and connections were password
protected. Attacks consisted of UDP packets sent to random ports on
the target for whatever duration the attacker chose [Dittrich (1999a)].
(2) Tribe Flood Network (TFN). The attacker connected directly to master
stations via remote shells or telnet directly to the port used by the
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
(7) Trinity. This tool was the first to use IRC as the means of communi-
cation. When systems were compromised and the tool installed, they
would connect to a public IRC server and await further commands.
Attack payloads includes UDP, SYN, TCP ACK and RST floods as
well as teardrop attacks [Alert (2000)].
(8) Phatbot. This is not a DDoS tool but major an entire arsenal of attack
tools. Once a system is infected with this worm, it can be used as a
vulnerability scanner and an email address harvester for spamming,
(just to name a few) in addition to launching DDoS attacks. Attack
payload includes SYN, UDP, and ICMP floods as well as a “targa”
flood (a variation of the Teardrop attack), a “wonk” flood (sending a
SYN packet followed by 1023 TCP ACK packets), and various HTTP
“Get” floods (some with delay settings so to make these requests harder
to differentiate from legitimate web page requests) [Group (2004)].
network traffic, the SYN and FIN pair should appear symmetrically. To
accumulate these pairs, they used a non-parameter CUSUM method that
estimated the average duration time of TCP connections, which varied ac-
cording to a network’s status. These single-node defending methods, how-
ever, inevitably cause collateral damage on legitimate traffic destined for
the victim that the system is trying to protect.
push the hashed subset of its IP address onto the stack but since it knows
what the next hop should be, it can also push that router’s hash segment
onto the stack as well. This solves the issue of having non-PI supporting
routers in the path but for the neighboring routers supporting PI markings,
you could have a lot of duplicate entries. To remedy this, before pushing
any data onto the stack, it checks the hash value at the top of the stack,
if that value matches the one it would push to identify itself, it skips that
item and only pushes the hash data for the next router.
4.6.3 Honeypot
The honeypot technology proposed recently provides another perspective to
detect and prevent the DoS/DDoS attacks in which a honeypot is a target
to attract hackers to analyze ongoing attacking activities [Spitzner (2003)].
A honeypot can be defined as an information system resource whose value
lies in unauthorized or illicit use of that resource [Spitzner (2003)]. Due
to the nature of a honeypot, any traffic destined to it is most likely to be
an attack and subsequent response schemes can be evoked to alarm it to
the protected server and further reveal attacking origins. Usually, honey-
pots are fixed to locations and they are easily detected by sophisticated
attackers [Krawetz (2004)]. If malicious attackers can detect honeypots,
they can bypass detection and even can utilize them to attack other sys-
tems. A roaming honeypot technology, thus, can blur the detection and
provide a more secure service, as proposed by Khattab et al. [Khattab
et al. (2004)]. According to Khattab et al., honeypots are idle servers
from a pool of servers and they keep changing to make the roaming honey-
pots unpredictable. This roaming scheme mitigates the service-level DoS
attacks against back-ends (e.g., database servers) of private services. How-
ever, such scheme requests the servers in a sever pool to constantly change
their roles, either as working servers or as honeypots, which could result
in a high cost of maintaining data consistency among servers. Meanwhile,
effective attackers can directly send traffic to back-end servers without pass-
ing through AG (access gateways) overlay networks to degrade the server’s
performance.
Honeypots take different forms to target different situations. According
to the level of interaction an attacker is allowed to have with a honey-
pot, there are low-interaction and high-interaction honeypots, respectively.
Low-interaction honeypots restrict the interaction between an attacker and
the honeypot. This effectively limits the scope of the attacker’s actions
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
One important issue related to intrusion detection is the ability to track the
source of the intrusion. This can result in the prosecution of the attacker or,
at least, discovering other systems he or she has compromised and informing
the appropriate parties. Also, it helps in mitigating DoS/DDoS attacks
either by isolating the identified attack sources or by filtering attack packets
far away from the victim as proposed in the IP traceback-based intelligent
packet filtering technique [Sung and Xu (2003)]. There are many factors
which help attackers to stay behind the scenes and hence complicate the
process of traceback: the distributed anonymous nature of DDoS attacks,
the stateless nature of the Internet, the destination oriented IP routing,
and the fact of having millions of hosts connected to the Internet (implying
huge search space) [Al-Duwairi and Govindarasu (2006)]. In particular,
the most challenging factor in traceback is that attackers have developed
many methods to hide the ultimate source of the attacks. Lee and Shields
illustrated the different methods an attacker can use to hide the source of
malicious traffic. First, if a connectionless attack, such as a flooding DoS
attack, is involved, simple IP spoofing will work. If the attack requires
two way communications, hiding the source becomes more difficult as there
must be some way for the attacker to receive or properly respond to the
target host’s replies. Two simple methods are to guess that the proper
replies were made and blindly follow the conversation with the host or to
guess at the TCP sequence number and capture the packets assumed to
be part of the communication (as many systems use a predictable series of
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
both the traced message and the ITrace-CP message, it will modify the
ITrace-CP message by adding its address to the massage and send it to the
next hop router along the path followed by the IP packet being traced. If
the router received the ITrace-CP message but not the traced packet, it will
send an unaltered copy of the ITrace message to the destination address of
the traced packet. This method allows for partial paths to reach the host
and thus makes reconstructing the entire path of malicious traffic easier as
less packets will be needed to perform the reconstruction [Lee et al. (2003)].
Another approach is to simply have each router store a log of each packet
it has seen. However, given the large amount of packets in typical network
traffic, storage space and the efficiency of checking for a packet becomes an
issue.
router which does not choose to record a link in the packet will increment
this value. When the packet arrives at the victim, the distance value indi-
cates how many hops are in the path from the victim to that router. As a
result, the path from the victim back to the attack origin can be more eas-
ily and quickly constructed. This method is called edge sampling [Savage
et al. (2000)].
In order not to increase the packet length, the paper [Savage et al.
(2000)] also suggests that the marking information be recorded in the ID
Identification field in the IP header. Since the mark is part of the packet,
it is unlikely that an attacker would attempt any forgeries.
The biggest problem with this approach would appear when the packet
needed to be fragmented later in order to complete its journey. The marking
system is incompatible with the fragmentation part of the protocol. Also,
like ICMP Traceback, not every packet should be marked but only a small
sample of them. The same sample rate was used as above.
include both the mutability of certain standard and extended IPv6 header
fields and tunneling such as IPv6 over IPv4 and IPsec [Strayer et al. (2004)].
Since these hashes would only be available for a very short amount of
time, the target of a DoS/DDoS attack would only have a brief period in
which to trace the packets. Another concern about this approach is that
routers already have a finite amount of memory and are busy forwarding
packets. Calculating hashes, even weak ones, and storing them puts an
additional burden on these devices. A revision proposed would be to have
a port other than all the interfaces and add a separate device that would
calculate and store the hashes. Those devices could also be on a different
network to be queried and not interfere with the normal data flow to the
target.
inherently built for a packet because the marking field in the packet serves
as a pointer to the last router that did the marking for the packet and the
marking table of that router contains a pointer (i.e., the IP address) to the
previous marking router and so on. When a traceback request message is
sent, it can be sent to the last router to mark the packet. This router can
then confirm it forwarded the packet, add its information to the path list in
the traceback request message, and then use its stored mark to look up the
previous router marking the packet. In this manner the traceback request
can follow the path of marking until a dead end is reached, at which point
dead-end message will be sent back to the victim with the complete path
up to the dead end.
(1) if P is not already marked, R loads that information into P, (2) otherwise
(i.e. P is already marked), R swaps the buffered mark information with P’s
current marking information. Note: R cannot perform its own marking
on the packets for a destination when a buffered marking with the same
destination exists. However, it is not a big problem, since we assume the
attack involves a large number of packets and it is sufficient to obtain only
one mark per router.
As can be observed, DLLT needs to keep the marking information in
routers for a long time and the routers need to participate in the construc-
tion of packet path. In contrast, PPPM will clear the buffered marking
information periodically or when it has been loaded. Furthermore, the
destination itself can construct the packet path from the received packets.
4.7.6 Pushback
One of the problems with the traceback approaches is that while it may
help identify the sources of a DoS/DDoS attack, it isn’t able to do anything
to stop them. Pushback [Mahajan et al. (2001)] is an attempt to address
this. When a DoS/DDoS attack starts, the target’s router looks at the
volume of traffic coming from each upstream router and sends a message
to those routers which seem to be sending an excessive amount of traffic.
Each upstream router, in turn, does the same thing until the message re-
ceived by the border routers for each of the networks involved in the attack.
Those routers then block all systems responsible for attack traffic. The ef-
fect is essentially like pulling the plug on those offending networks. While
waiting for the routers to stop the flow of traffic, the border router for the
network being attacked will set up rules to put rate limits on those routers
forwarding the attack packets.
Of course this system assumes that the network traffic is not equally
distributed across all the interfaces. If it were, it would be much more
difficult to discover the attack sources. Also, pushback only works if all
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
routers support this feature. Otherwise the target network gets partial
relief.
The system works by taking the hash values of all key files when an
operating system and key software packages are installed and storing
these hashes in a database. These values are then periodically recal-
culated and compared to those in the database. If the values match,
the files have not been modified. Otherwise, further investigation is
warranted.
Finally, the system itself needs to be configured such that only those
services which are needed are in place. In addition, operating system
specific hardening measures should take place (e.g. SYN Cookies on
Linux systems to prevent SYN Flood attacks). Tools like Microsoft’s
Baseline Security Analyzer and those freely available from the Center
for Internet Security are particularly helpful to ensure operating sys-
tems and major network service daemons are properly configured and
locked down.
(2) Egress/Ingress Filtering. Steps can also be taken at the network level
to ensure systems within that network are not participating in an at-
tack. Much can be done at the border routers. The first thing to do is
to configure egress filter rules. Most people think of firewall and router
packet filtering as focusing specifically on the traffic coming into a net-
work. Egress filtering are those used to check packets leaving the local
network. How this helps prevent a site from participating in a DDoS
attack is that most of the DDoS attacks we’ve mentioned include IP
source address spoofing. If the router sees a packet leaving the local
network that has a source address that doesn’t belong in the network’s
internal IP space, it should be discarded.
Likewise, Ingress filtering (filtering of incoming packets) can also mini-
mize participation in DDoS attacks. DDoS attacks that use redirection
techniques (e.q. Smurf Attacks) need to be able to send their packets
to the broadcast address of intermediate networks. There is no reason
such traffic should be allowed [Institute (2000)].
(3) Bogon Filtering. Ingress filtering can also help reduce the volume of
traffic directed against your network. Again, since many source ad-
dresses are spoofed, chances are that many may be “bogons”. Bogons
are IP addresses that have not been assigned by the Internet Assigned
Number Authority (IANA) or Regional Internet Registry (RIR). These
include all address blocks that are available but have never been as-
signed to anyone as well as those defined by RFC 1918 and RFC 3330
for use in internal use only situations [WebSite (2006)].
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
While best practices could help significantly reduce the number and
magnitude of DoS/DDoS attacks, it is unreasonable to assume all networks
and computers would be configured properly. With DSL and Broadband
cable becoming more popular to connect residential sites, the number of
potential botnet members increases. That being the case, research into
new techniques for Dos/DDoS defense and prevention are a must. Here is
a brief summary of some of the stronger projects.
4.8.2 D-Ward
While in previous methods, the target network initiates action in response
the attack, D-Ward [Mirkovic and Reiher (2005)] was designed for networks
to act as the good neighbors. Basically, it works like an anomaly/misuse
IDS looking at both incoming and outgoing traffic at the border router.
Models are initially created based on normal application and protocol traf-
fic levels and grouped into traffic patterns that are benign/legitimate, sus-
picious, or attack. The system then looks at network flows to remote sites
as well as to individual nodes within the local network. If it sees anything
that it deems as suspicious or as a potential attack based on the models,
it imposes bandwidth rate limits (lesser ones for suspicious, stronger ones
for potential attacks). Notice that the local systems are not blocked even
if the traffic it is sending is suspected of being part of an attack. This is to
minimize the effects of false positives.
4.8.3 Netbouner
This approach [Thomas et al. (2003)] is much like creating whitelists to
allow access to local systems from others on the Internet. Before network
traffic is allowed in from the outside, the sending node must first prove
that it is an actual system. Many spoofed addresses don’t correspond to
systems that are active, so when Netbouncer sees a packet from a network
not listed in its whitelist, it will send an ICMP packet to that node. If it gets
a response, then Netbouncer knows that the remote node is a legitimate
system and adds it to its whitelist. Further tests check to see if the network
ports being used actually are appropriate for that protocol being received.
If the remote system passes all these tests, then traffic is passed. This
system is much like having to type in the distorted letters incorporated
into an image as part of web form submissions.
The big problem with a system like this is an attack that spoofs an
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
4.8.4 DefCom
DefCom [Mirkovic et al. (2003)] uses a distributed model which incorporates
defense mechanisms at both the victim and attack source networks as well
as at core parts of the Internet backbone. When these components detect
that an attack is underway, it counters by employing traffic rate limits on
those packets found to be part of the attack.
There are three types of nodes used; alert generators to detect the oc-
currence of an attack, rate limiters which impose traffic limits on a traffic
passing through it, and classifiers which try to identify and mark both
attack and legitimate traffic. The alert generators and classifiers are posi-
tioned at the borders of local networks. Rate limiters are typically found
as part of core routers. The alert generators (added to firewalls) detect
the attack and through a backchannel, communicate with rate limiters and
classifiers. The rate limiters near the victim network begin to limit the
amount of traffic passed with additional rate limiters further upstream as-
sisting later. All the filtering is based on the markings in the packets from
the source networks. The classifiers, near the attack source networks, inject
markings into each packet identifying it as either legitimate or suspicious.
The rate limiters then give preferential treatment to those packets marked
as legitimate followed by those labeled as suspicious. Any packets without
any markings are limited the most.
4.8.5 SIFF
This approach [Yaar et al. (2004)] is similar to others in that it uses rate fil-
tering based on the classification of the traffic being sent. What is different
is that SIFF is not reactive but proactive. The basic idea is this: as part
of the initial connection handshake, the two nodes would exchange capabil-
ities. Packets between these nodes using these capabilities would then be
viewed as privileged communication. Routers would monitor this and give
less precedence to unprivileged packets. There would also be mechanisms
in place to detect floods of “privileged” packets and if necessary, revoke the
capabilities granted to the sending node. This helps to address situations
when an attacker attempts to forge packets to make them seem to having
been sent from a node part of an existing (privileged) session.
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
The only problem with this scheme is that it would require a funda-
mental change to the TCP/IP model in order to be effective. The authors
suggest incorporating SIFF into IPv6 or creating modules that could be in-
stalled in IPv4 nodes and routers. To be effective, deployment would have
to be widespread.
4.8.7 PacketScore
One of the problems with many of the research solutions thus far is that
they are reactive. The victim determines that an attack is underway and
attempts to block traffic using a series of router-based access control lists.
To be effective though, network providers must all cooperate. Even models
like SOS (see section 4.9) which selectively allow only legitimate traffic to
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
reach core servers is only effective if the border routers are not completely
overwhelmed.
PacketScore [Kim et al. (2004b)] is an attempt to use a model similar to
that used to combat Spam. Each packet is scanned and a score computed. If
that score exceeds a dynamic threshold, the packet is discarded. Packet in-
formation is collected by Detecting-Differentiating-Discarding routers (3D-
R) found at the edge of all participating networks and thus forms a virtual
security perimeter. When one router detects a potential attack, it com-
municates with a DDoS Control Server (DCS) and together compare the
traffic to a normal traffic profile for that network. Statistical and “fine-
grain” characteristics are examined for each packet and a score (CLP) is
is generated via Bayesian analysis. That score is then compared to the
threshold to determine whether the packet should be allowed into the tar-
get network. The threshold itself is dynamic and primarily based on target
network’s bandwidth capacity.
One of the problems with this approach is that as bandwidth has in-
creased, it is becoming harder to score packets without introducing delays.
A revision of PacketScore, called ALPI, attempts to address this. Instead
of doing the Bayesian (CLP) checks, it observes current attributes and com-
pares them to ones within the normal profile, the LB system (commonly
used for traffic shaping) tracks the number of times attributes occur. If
these values exceed what should be accepted, the packet is discarded.
An alternative included in ALPI [Ayres et al. (2006)], is the AV system,
which attempts to look at variance in attributes from the norm. They
modeled this approach after some of the current intrusion detection models
were deployed. While more complex than LB, it was faster than CLP and
in their experiments, proved to be more accurate in deciding which packets
to drop.
4.8.8 Speak-Up
Speak Up [Walfish et al. (2006)] uses a unique approach that is counterin-
tuitive. Many DDoS attacks are application centric. They flood the target
with legitimate appearing service requests (e.g. HTTP GET) but never
view the responses. The idea is that it is far more expensive for the server
to fork copies of the daemon needed (and using up CPU and memory re-
sources) than for an attacker to issue a simple request. Speak up deals with
this by instead of trying to limit the flow of traffic from suspected attacks,
encourages all clients to increase the amount of data being sent. Since the
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
attackers will already be sending as much data as they could, only the le-
gitimate clients would be able to increase their volume of traffic sent. How
these clients do this is either by padding the requests or by sending lots of
data via a separate payment channel. The net effect is that the good traffic
will drown out the attack.
In summary, this approach has the same goal as Netbouncer in that only
traffic found to be from a legitimate client should be allowed to pass. The
way SOS handles this is to first set up a virtual network within the real one.
Since the target of most DDoS attacks are servers (e.g. web servers), these
are what are protected. When a client makes a request for a service, its
packets get to some SOAP point first, pass through beacons and servlets,
and finally arrive at the server. The SOS system includes redundancy
features such that if any node in the system were to fail, another can take
its place [Keromytis et al. (2004)].
This model has since been extended to allow for authenticated access
to resources. Specifically, WebSOS [Stayrou et al. (2005)] enables clients
to gain access through the overlay network after first authenticating to
the network. This authentication takes the form of a Graphical Turing
Test (GTT). The model used is called CAPTCHA (Completely Automated
Public Turing test to Tell Computers and Humans Apart) which displays
a morphed image of letters and requires the client type them in. After suc-
cessfully authenticating, these clients receive a signed applet which connects
them to the beacon network via a SSL encrypted channel.
A more general model of WebSOS can be used by ISPs to protect entire
networks from DDoS attacks. In many situations, if an ISP detects an at-
tack on one of its clients, it can simply direct its routers to drop all packets
destined for that network. This is often called blackholing. While this does
not help the client who is being attacked, it does protect other clients of
the ISP from experiencing performance problems. The SOS architecture
Gore [Chou et al. (2005)] adds proxies and a gore center to the ISP infras-
tructure to help attacked clients remain accessible. When the ISP detects
an attack, the gore routers reroute all traffic for the target network to the
gore center. The center then attempts to determine which are legitimate
and which should be discarded. Proxies can be used in the same manner as
WebSOS. Clients can authenticate either by a GTT or centralized authen-
tication server (e.g. RADIUS Server) to get priority access. All allowed
traffic then passes to internal servers much like the original SOS model.
An interesting extra feature for ISPs is that the proxy capability of
WebSOS and Gore can be offered to clients as a paid for added feature.
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
4.10 Conclusion
Chapter 5
137
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
time (service time). This index can be significantly improved by using the
RMS that divides a task into a set of subtasks which can be executed in par-
allel by multiple online resources. Many complicated and time-consuming
tasks that could not be implemented before are working well under the grid
environment now.
It is observed in many grid projects that the service time experienced
by the users is a random variable. Finding the distribution of this vari-
able is important for evaluating the grid performance and improving the
RMS functioning. The service time is affected by many factors. First, vari-
ous available resources usually have different task processing speeds online.
Thus, the task execution time can vary depending on which resource is as-
signed to execute the task/subtasks. Second, some resources can fail when
running the subtasks, so the execution time is also affected by the resource
reliability. Similarly, the communication links in grid service can be discon-
nected during the data transmission. Thus, the communication reliability
influences the service time as well as data transmission speed through the
communication channels. Moreover, the service requested by a user may be
delayed due to the queue of earlier requests submitted from others. Finally,
the data dependence imposes constraints on the sequence of the subtasks’
execution, which has significant influence on the service time.
This chapter first introduces the grid computing system and service, and
analyzes various failures in grid system. Both reliability and performance
are analyzed in accordance with the performability concept. Then, the
chapter presents models for star- and tree-topology grids, respectively. The
reliability and performance evaluation tools and algorithms are developed
based on the universal generating function, graph theory, and Bayesian
approach. Both failure correlation and data dependence are considered in
the models.
global grid system is generally depicted by the Figure 5.1. Various organi-
zations [Foster et al. (2001)], integrate/share their resources on the global
grid. Any program running on the grid can use those resources if it can be
successfully connected to them and is authorized to access them. The sites
that contain the resources or run the programs are linked by the global
network as shown in the left part of Figure 5.1.
P1,…
R1,… P,…
Application Program
Programs Layer
Resource Resource
R,… descriptions sites
Network
Notations: Access Layer
Control
P=Program
R=Resource
RM=Resource Management
RMS=Resource Management System Shared Resource
Resources Layer
(1) Program layer : The program layer represents the programs of the cus-
tomer’s applications. The programs describe their required resources
and constraint requirements (such as deadline, budget, function etc).
These resource descriptions are translated to the resource requests and
sent to the next request layer.
(2) Request layer : The request layer provides the abstraction of “program
requirements” as a queue of resource requests. The primary goals of
this layer are to maintain this queue in a persistent and fault-tolerant
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
(1) Program layer : Software failures can occur during the subtask (pro-
gram) execution; see e.g. [Xie (1991); Pham (2000)].
(2) Request layer : When the programs’ requests reach the request layer,
two types of failures may occur: “blocking failure” and “time-out fail-
ure”. Usually, the request queue has a limitation on the maximum
number of waiting requests [Livny and Raman (1998)]. If the queue
is full when a new request arrives, the request blocking failure occurs.
The grid service usually has its due time set by customers or service
monitors. If the waiting time for the requests in the queue exceeds the
due time, the time-out failure occurs [Abramson et al. (2002)].
(3) Management layer : At this layer, “matching failure” may occur if the
requests fail to match with the correct resources, [Xie et al. (2004)]
(pp. 185-186). Errors, such as incorrectly translating the requests,
registering a wrong resource, ignoring resource disconnection, misun-
derstanding the users’ requirements, can cause these matching failures.
(4) Network layer : When the subtasks (programs) are executed on remote
resources, the communication channels may be disconnected either
physically or logically, which causes the “network failure”, especially
for those long time transmissions of large dataset [Dai et al. (2002)].
(5) Resource layer : The resources shared on the grid can be of software,
hardware or firmware type. The corresponding software, hardware or
combined faults can cause resource unavailability.
to take into account the effect of service performance (execution time) upon
the reliability of the grid elements. The conventional models [Kumar et al.
(1986); Chen and Huang (1992); Chen et al. (1997); Lin et al. (1997)] are
based on the assumption that the operational probabilities of nodes or
links are constant, which ignores the links’ bandwidth, communication time
and resource processing time. Such models are not suitable for precisely
modeling the grid service performance and reliability.
Another important issue that has much influence on performance and
reliability is data dependence that exists when some subtasks use the results
from some other subtasks. The service performance and reliability is af-
fected by data dependence because the subtasks cannot be executed totally
in parallel. For instance, the resources that are idle in waiting for the input
to run the assigned subtasks are usually hot-standby because cold-start is
time consuming. As a result, these resources can fail in waiting mode.
The considerations presented above lead the following assumptions that
lay in the base of grid service reliability and performance model.
Assumptions:
(1) The service request reaches the RMS and is being served immediately.
The RMS divides the entire service task into a set of subtasks. The data
dependence may exist among the subtasks. The order is determined by
precedence constraints and is controlled by the RMS.
(2) Different grid resources are registered or automatically detected by the
RMS. In a grid service, the structure of virtual network (consisting of
the RMS and resources involved in performing the service) can form
star topology with the RMS in the center or, tree topology with the
RMS in the root node.
(3) The resources are specialized. Each resource can process one or multiple
subtask(s) when it is available.
(4) Each resource has a given constant processing speed when it is available
and has a given constant failure rate. Each communication channel
has constant failure rate and a constant bandwidth (data transmission
speed).
(5) The failure rates of the communication channels or resources are the
same when they are idle or loaded (hot standby model). The failures
of different resources and communication links are independent.
(6) If the failure of a resource or a communication channel occurs before
the end of output data transmission from the resource to the RMS, the
subtask fails.
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
(7) Different resources start performing their tasks immediately after they
get the input data from the RMS through communication channels. If
same subtask is processed by several resources (providing execution re-
dundancy), it is completed when the first result is returned to the RMS.
The entire task is completed when all of the subtasks are completed and
their results are returned to the RMS from the resources.
(8) The data transmission speed in any multi-channel link does not de-
pend on the number of different packages (corresponding to different
subtasks) sent in parallel. The data transmission time of each package
depends on the amount of data in the package. If the data package
is transmitted through several communication links, the link with the
lowest bandwidth limits the data transmission speed.
(9) The RMS is fully reliable, which can be justified to consider a relatively
short interval of running a specific service. The imperfect RMS can
also be easily included as a module connected in series to the whole
grid service system.
where bx is the bandwidth of the link Lx. Therefore, the random time tij
of subtask i execution by resource j can take two possible values
ai
tij = t̂ij = τj + (5.2)
sj
if the resource j and the communication path γj do not fail until the subtask
completion and tij = ∞ otherwise. Here, τj is the processing time of the
j -th resource.
Subtask i can be successfully completed by resource j if this resource
and communication path γj do not fail before the end of subtask execution.
Given constant failure rates of resource j and links, one can obtain the
conditional probability of subtask success as
where πj is the failure rate of the communication path between the RMS
and the resource j , which can be calculated as πj = x∈γj λx , λx is
the failure rate of the link Lx . The exponential distribution is common
in software or hardware components’ reliability that had been justified in
both theory and practice [Xie et al. (2004)].
These give the conditional distribution of the random subtask execution
time tij : Pr( tij = t̂ij ) = pj (tij ) and Pr( tij = ∞) = 1 − pj (tij ) .
Assume that each subtask i is assigned by the RMS to resources com-
posing set ωi . The RMS can initiate execution of any subtask j (send the
data to all the resources from ωi ) only after the completion of every subtask
k ∈ φi . Therefore the random time of the start of subtask i execution Ti
can be determined as
Ti = max(T̃k ) (5.4)
k∈φi
In order to obtain the distribution of random time t̃ij one has to take
into account that probability of any realization of t̃ij = T̂il + t̂ij is equal
to the product of probabilities of three events:
According to the definition of the last subtask m, the time of its begin-
ning corresponds to the service completion time, because the time of the
task proceeds with RMS is neglected. Thus, the random service time Θ is
equal to Tm . Having the distribution (pmf) of the random value Θ ≡ Tm
in the form qml = Pr(Tm = T̂ml ) for 1 ≤ l ≤ Nm , one can evaluate the
reliability and performance indices of the grid service.
In order to estimate both the service reliability and its performance, dif-
ferent measures can be used depending on the application. In applications
where the execution time of each task (service time) is of critical impor-
tance, the system reliability R( Θ *) is defined (according to performability
concept in [Meyer (1997); Grassi et al. (1980); Tai et al. (1980)] as a prob-
ability that the correct output is produced in time less than Θ *. This
index can be obtained as
Nm
R(Θ∗) = qml · 1(T̂ml < Θ∗) (5.8)
l=1
When no limitations are imposed on the service time, the service relia-
bility is defined as the probability that it produces correct outputs without
respect to the service time, which can be referred to as R( ∞ ). The
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
Nm
W = T̂ml qml /R(∞) (5.9)
l=1
K
u(z) = αk z yk (5.10)
k=1
where the variable Y has K possible values and α k is the probability that
Y is equal to yk.
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
RESOURCE
RESOURCE RESOURCE
RESOURCE 1111111
0000000 RESOURCE
0000000
1111111
0000000
1111111
0000000
1111111
0000000
1111111
0000000
1111111
RMS
0000000
1111111
0000000
1111111
0000000
1111111
0000000
1111111
0000000
1111111
0000000
1111111
where t̂ij and pj (t̂ij ) are determined according to Eqs. (5.2) and (5.3)
respectively.
The pmf of the random start time Ti for subtask i can be represented
by u-function Ui (z ) taking the form
Li
Ui (z) = qil z T̂il (5.13)
l=1
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
where
ũi (z, T̂il ) = ũij1 (z, T̂il ) ⊗ ... ⊗ ũiji (z, T̂il ) (5.16)
min min
for e = j2 , . . . , ji .
Having the probabilities of the mutually exclusive realizations of start
time Ti , qil = Pr(Ti = T̂il ) and u-functions ũi (z, T̂il ) representing corre-
sponding conditional distributions of task i completion time, we can now
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
Ni
Ũi (z) = qil ũi (z, T̂il ) (5.17)
l=1
Having u-functions Ũk (z) representing pmf of the completion time T̃k
for any subtask k ∈ φi = {k1 , ..., ki } , one can obtain the u-functions Ui (z)
representing pmf of subtask i start time Ti according to (5.4) as
Ni
⊗ Ũk2 (z)... max
Ui (z) = Ũk1 (z) max ⊗ Ũki (z) = qil z T̂il (5.18)
l=1
Ui (z) = z 0 ,
⊗ Ũe (z)
Ui (z) = Ui (z) max
for e = k 1, . . . , ki.
It can be seen that if φi = ∅ then Ui (z) = z 0 .
The final u-function Um(z ) represents the pmf of random task comple-
tion time Tm in the form
Nm
Um (z) = qml z T̂ml (5.19)
l=1
Using the operators defined above one can obtain the service reliability
and performance indices by implementing the following algorithm:
(1) Determine t̂ij for each subtask i and resource j ∈ ωi using Eq. (5.2);
Subtasks 1 and 3 get the input data directly from the RMS, subtask
2 needs the output of subtask 1, the service task is completed when the
RMS gets the outputs of both subtasks 2 and 3: φ1 = φ3 = ∅ , φ2 = {1} ,
φ4 = {2, 3} . These subtask precedence constraints can be represented by
the directed graph in Figure 5.3.
Since φ1 = φ3 = ∅ , the only realization of start times T 1 and T 3 is 0
and therefore, U 1(z )=U 2(z )=z 0 . According to step 2 of the algorithm we
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
1 2
3 4
can obtain the u-functions representing pmf of completion times t̃11 , t̃12 ,
t̃35 and t̃36 . In order to determine the subtask execution time distributions
for the individual resources, define the u-functions uij (z ) according to Table
5.1 and Eq. (5.9):
ũ23 (z, ∞) = z ∞ ;
ũ24 (z, ∞) = z ∞ .
(0.861z 300 + 0.128z 430 + 0.011z ∞ )=0.603z 350 + 0.049z 400 + 0.283z 430 +
0.017z 480 + 0.048z ∞ .
The pmf of the service time is:
Pr(T 4 = 350) = 0.603; Pr(T 4 = 400) = 0.049;
Pr(T 4 = 430) = 0.283; Pr(T 4 = 480) = 0.017;
Pr(T 4 = ∞ ) = 0.048.
From the obtained pmf we can calculate the service reliability using
Eq. (5.8):
R(Θ∗) = 0.603 for 350 < Θ∗ ≤ 400;
R(Θ∗) = 0.652 for 400 < Θ∗ ≤ 430;
R(Θ∗) = 0.935 for 430 < Θ∗ ≤ 480;
R(∞) = 0.952
and the conditional expected service time according to Eq. (5.9):
W = (0.603 × 350 + 0.049 × 400 + 0.283 × 430 + 0.017 × 480)/0.952
= 378.69 sec.
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
In the star grid, the RMS is connected with each resource by one direct
communication channel (link). However, such approximation is not accu-
rate enough even though it simplifies the analysis and computation. For
example, several resources located in a same local area network (LAN) can
use the same gateway to communicate outside the network. Therefore, all
these resources are not connected with the RMS through independent links.
The resources are connected to the gateway, which communicates with the
RMS through one common communication channel. Another example is
a server that contains several resources (has several processors that can
run different applications simultaneously, or contains different databases).
Such a server communicates with the RMS through the same links. These
situations cannot be modeled using only the star topology grid architecture.
In this section, we present a more reasonable virtual structure which
has a tree topology. The root of the tree virtual structure is the RMS,
and the leaves are resources, while the branches of the tree represent the
communication channels linking the leaves and the root. Some channels are
commonly used by multiple resources. An example of the tree topology is
given in Figure 5.3 in which four resources (R1, R2, R3, R4) are available
for a service.
The tree structure models the common cause failures in shared com-
munication channels. For example, in Figure 5.4, the failure in channel L6
makes resources R1, R2, and R3 unavailable. This type of common cause
failure was ignored by the conventional parallel computing models, and the
above star-topology models. For small-area communication, such as a LAN
or a cluster, such assumption that ignores the common cause failures on
communications is acceptable because the communication time is negligible
compared to the processing time. However, for wide-area communication,
such as the grid system, it is more likely to have failure on communication
channels. Therefore, the communication time cannot be neglected. In many
cases, the communication time may dominate the processing time due to
the large amount of data transmitted. Therefore, the virtual tree structure
is an adequate model representing the functioning of grid services.
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
a much simpler way because each resource has a single path to the RMS,
and the tree structure is acyclic.
After the subtasks have been assigned to corresponding resources, it
is easy to find all combinations of resources such that each combination
contains exactly m resources executing m different subtasks that compose
the entire task. Each combination determines exactly one MTST consisting
of links that belong to paths from the m resources to the RMS. The total
number of MTST is equal to the total number of such combinations N,
where
m
N= |ωj | (5.20)
j=1
Now, we can sort the MTST in an increasing order of their conditional task
completion times Y{i} , and divide them into different groups containing
MTST with identical conditional completion time. Suppose there are K
such groups denoted by G1 , G2 , ..., GK where 1 ≤ K ≤ N , and any group
Gi contains MTST with identical conditional task completion times Θi (
0 ≤ Θ1 < Θ2 < ... < ΘK ). Then, it can be seen that the probability
Qi = Pr (Θ = Θi ) can be obtained as
where Ei is the event when at least one of MTST from the group Gi is
available, and Ēi is the event when none of MTST from the group Gi is
available.
Suppose the MTST in a group Gi are arbitrarily ordered, and Fij
(j =1,2,. . . , Ni ) represents an event when the j -th MTST in the group
is available. Then, the event Ei can be expressed by
Ni
Ei = Fij (5.23)
j=1
Ni
Pr(Ei , Ēi−1 , Ēi−2 , ..., Ē1 ) = Pr( Fij , Ēi−1 , Ēi−2 , ..., Ē1 ) (5.24)
j=1
Ni
Qi = Pr (Fij ) · Pr F̄i(j−1) , F̄i(j−2) , ..., F̄i1 , Ē1 , Ē2 , · · · , Ēi−1 |Fij
j=1
(5.25)
S 3: path for J1: (R4,53), (L4,53); path for J2: (R2,40), (L2,40), (L5,40),
(L6,40).
S 4: path for J1: (R4,53), (L4,53); path for J2: (R3,58), (L3,58), (L6,58).
(1) R2 during the first 40 seconds, and R4 during the first 53 seconds;
(2) R2 during the first 40 seconds, and L4 during the first 53 seconds;
(3) L2 during the first 40 seconds, and R4 during the first 53 seconds; and
(4) L2 during the first 40 seconds, and L4 during the first 53 seconds.
Therefore,
4
2
Pr S̄1 , S̄3 , S̄4 |S2 = 1 − i=1 1 − j=1 [1 − exp(λij · tij )] =0.1230,
where λij is the failure rate of the j -th critical element in the i-th combi-
nation (j =1,2), (i=1,2,3,4); and tij is the duration of the time interval for
the corresponding critical element.
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
Having the values of Pr (S1 ) , Pr (S2 ) , Pr S̄3 , S̄4 |S1 , and
Pr S̄1 , S̄3 , S̄4 |S2 , one can calculate
Pr( Θ =78)= Q 3 = 0.1999 × 0.3456+0.2068 × 0.1230=0.0945.
After obtaining Q 1, Q 2, and Q 3, one can evaluate the total task failure
probability as
Pr( Θ = ∞ )=1-Q 1-Q 2-Q 3 =1-0.3738-0.1480-0.0945=0.3837,
and obtain the pmf of service time presented in Table 5.3.
R(∞) = Q1 + Q2 + Q3 = 0.6164,
the probability that the service time is not greater than a pre-specified
value of θ *=60 seconds as
3
R(θ∗) = Qi · 1(Θi < θ∗) = 0.3738 + 0.1480 = 0.5218,
i=1
and the expected service execution time given that the system does not fail
as
3
W = i=1 Θi Qi /R(∞) = 35.7664/0.6164 = 58.025 seconds.
(1) Monitoring the failures of the components (virtual links and nodes) in
the grid service, and recording the total execution time of those com-
ponents. The failure rates of the components can be simply estimated
by the number of failures over the total execution time.
(2) Monitoring the real time network traffic of the involved channels (vir-
tual links) in order to obtain the bandwidth of the links.
5.5 Conclusion
Chapter 6
Grid computing environments are typical CC paradigms that users offer and
share their resources. In this omnipresent environment, security becomes
a critical factor to its success. This chapter introduces the Grid Security
problem, its challenges and requirements. Moreover, we present a dual
level key management scheme which can offer secure grid communication
and fine-grained access control to shared grid resources. How grid services
are supported by this scheme is also presented by some examples of typical
grid services.
167
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
(1) Single sign-on: A user should be able to authenticate once and then he
can acquire resources, use resources, release resources, and communi-
cate internally, without further authentication of the user.
(2) Protection of credential: User credentials must be protected.
(3) Interoperability with local security solutions: While grid security so-
lutions may provide inter-domain access mechanism, access to local
resources will typically be determined by local security policy that is
enforced by local security mechanism.
(4) Exportability: The code must be exportable and executable in multi-
national test beds.
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
Besides the above examples, many other works have been done or are
ongoing for grid security. Typically, they include general grid security ar-
chitecture [Foster et al. (1998)], secure grid services [Welch et al. (2003)], vi-
sualized grid computing services and their security implications [Humphrey
and Thompson (2002)], Globus project and Globus Security Infrastructure
[Foster and Kesselman (1997)], Globus Toolkit 4 (GT 4) Authentication
Framework [Lang et al. (2006)], Grid system security architecture [Li et al.
(2006)], Scalable Grid Security Architecture [Zhou et al. (2005)], and trust
based grid security models [Farag and Muthucumaru (2002); Lin et al.
(2004b,a)]. More recently, web services have provided several security stan-
dards that have greatly influenced security in Grid computing. Due to a
significant overlap between web services and security requirements, grid
services standards are converging with web services. We will not go into
detail about these works, instead, we will focus on secure grid communi-
cation and controlled resource sharing and data exchange, the two most
fundamental functions in grid computing, and propose a practical solution
to them.
The real and specific problem that underlies the Grid concept is coordinated
resource sharing and problem solving in dynamic, multi-institutional vir-
tual organizations [Foster et al. (2001)]. The sharing that we are concerned
with is not primarily file exchange but rather direct access to computers,
software, data, and other resources. This is required by a range of col-
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
the user certificate that authenticates the users using the grid services. In
this registration process, the permanent secret key can be embedded into
the certificates issued to the member. Assume p is a large prime which
forms a finite field Fp .
Whenever there will be a group of users participating in a grid service,
the Key Management Server (KMS) will construct a polynomial A(x) in
finite field Fp [x] as:
A(x) = (x − f (SIDi , z)) (6.1)
i∈ψ
where ψ denotes this group under consideration and SIDi are group
members’ permanent secret keys assigned to the members in ψ. f (x, y) is
a public one-way hash function and z is a random integer from Fp . A(x)
is called an Access Control Polynomial (ACP). As Eq. (6.1), it is apparent
that A(x) is equated to 0 when x is substituted with f (SIDi , z) by a valid
user with SIDi in ψ ; otherwise, A(x) is a random value.
The KMS selects a random group key K for group ψ and computes the
polynomial
A (x) = (x − f (SIDi , z))(x − f (SIDt , z)) (6.4)
i∈ψ
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
root will be f (SID, z) but not SID. In addition, one cannot get SID
from f (SID, z). The only benefit of Knowing f (SID, z) is to get K
by plugging it into this very P (x) (For any other P (x), its z is
different, so does f (SID, z ) ). However, the internal spy had got K
already. Thus, the clever utilization of one-way function can prevent
the internal individual attack.
As for the collusion of multiple internal users in the sense that w in-
ternal spies collude to derive other members’ personal secrets using
all of their SIDi (i=1,2,3,. . . ,w ), our novel idea of A(x) can make
such collusion meaningless. This is very different from other polyno-
mial based techniques [Blundo et al. (1998a, 1993); Zou et al. (2002a)].
In those previous polynomial based schemes, t + 1 or more internal
users may find the entire polynomial by interpolating their t + 1 points
(i.e. (IDi , h(IDi )) ) (where t is the system security parameter and
is the degree of the polynomial in general). However, polynomial in-
terpolation is useless here because the users do not have points but
just one value (i.e. SIDi but no A(SIDi ) ) or to say, f (SIDi , z) but
A(f (SIDi , z)) = 0. Again, f (SIDroot , z) may be obtained but SIDroot
cannot. In the next activity when the random value z is changed to
z , this last f (SIDroot, z) becomes useless. In summary, this DLKM is
perfect against internal collusion of any degrees.
• Attack across Groups. Attacking across groups means the members in
different vertices/groups collude to find other group private keys ki or
other users’ secret keys SIDi . It may occur in different scenarios, e.g.
two users in different child nodes collude to get the key used in their
parent node, one user in a sibling node and another user in a child
node collude to attack parents. . . . However, no matter what kinds of
combinations they are, their attacks are useless in our DLKM. At the
first level, external collusion is meaningless because all the P (x) s, no
matter whether they are in different or same vertices, are independent
due to the random z which is selected every time. The internal at-
tack has been proven useless as above. Similarly at the second level,
the attempt to extract other group’s private key ki has to violate the
property of one-way function, thus being impossible.
• Information Glean.
A hacker may attempt to glean many publicized P (x) s, dreaming to
break the system by analyzing the relation among P (x) s. As discussed
above, this will not work here, since all P (x) s are independent.
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
• The Analysis at the First Level. At the first level, there are multi-
ple user groups and each is associated with a node in the hierarchy.
The CA manages all user groups, but it manages each of them in-
dependently. There are three typical operations: initialization, user
join, and user leave and three kinds of complexities: storage, compu-
tation, and communication. The CA needs to store all the information
about the hierarchy, nodes, user groups, and users (personal secrets),
thus its space complexity is O(mn). However, since we assume the
CA is more powerful than users, this space requirement for the CA
is not a problem. For every user, the only thing the user needs to
store is his personal secret key SIDi . Thus, the storage requirement
at the user end is O(1). Note, this is an important feature which
makes the scheme applicable in the devices of limited capability such
as PDAs. Let us consider three operations one by one. For initializ-
ing a node (i.e. the user group of the node), the CA has to calculate
A(x) = (x − f (SID1 , z)) · (x − f (SID2 , z)) · · · (x − f (SIDm , z)) and
P (x) = A(x) + k and then multicast P (x) (along with z ) to all users in
the node. The time complexity for computing A(x) is O(m2 ). If A(x)
has been computed, the time complexity for computing P (x) is just
O (1). Otherwise, the time complexity for P (x) is O(m2 ). Multicast-
ing P (x) means multicasting its coefficients. Since P (x) has degree m
and m+1 coefficients, the message size is O(m). So the communication
complexity for initialization is one multicast and O(m) per multicast.
Let’s consider the complexities for the new user join operation. The CA
just computes a new P (x) and only unicasts it (along with z ) to this
joining user. So, the time complexity is O(m2 ) and the communication
complexity is one unicast and O(m) per unicast. Note: in the case
when a user joins, the user is not allowed to get the previous key for
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
ensuring backward secrecy, then a new secret key k̂i needs to be selected
and multicast to all users including the joining user in the node. In
this case, the communication complexity is one multicast and O(m)
per multicast. When a user leaves or is revoked, a new group key
must be generated and distributed to all the remaining users in the
same node. Similarly, the computation complexity is O(m2 ) and the
communication complexity is one multicast and O(m) per multicast.
Finally, let us consider the computation cost for a user to compute
the key k from P (x). Computing k is a simple matter to compute
f (SIDi , z) and substitute the result for x in P (x). Since the degree
of P (x) is m, the computation complexity is O(m2 ). One dynamic
scenario is that some users may join and some other users may leave
the same group at the same time. The elegance of distributing the key
via P (x) is that the CA just includes the SID s of the new joining users
and excludes the SID s of the leaving users in the formation of new
A(x). Thus, multiple joins and leaves can be performed in the same
efficiency. Table 6.1 summarizes complexities at the first level.
• The Analysis at the Second Level. One frequent operation for HAC
is key derivation, i.e. a node derives the key of its descendant from
its own key. This derivation will follow the path from the node to
the descendant and use the one-way function iteratively. Obviously,
the longer the path, the more complex the key derivation. The worst
case is O (n). To decrease the key derivation complexity, some meth-
ods proposed in [Atallah et al. (2005)] are presented to simplify the
second-level computation. The time complexity is relieved by adding
some shortcuts. After shortcuts were added, during the process of key
derivation, one does not need to follow every edge from the beginning
node to the destination node any more. Instead, by using shortcuts,
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
we can jump from one special node to another special node, covering
many edges in between. As a result, for an n node hierarchy with
shortcuts, the key derivation time complexity is O(log log n) one-way
function computations with O(n) public space [Atallah et al. (2005)].
The typical dynamic operations at the second level include
adding/deleting a node/edge. In addition, the shortcut operation may
be combined with each of these operations. Let us analyze them one
by one and results are shown in Table 6.2.
When adding a node (it is assumed that the edges between the node
and its parents (if any) as well as its children (if any) are also added),
the time complexity depends on the position where the new node is
added. If the new node is added as a leaf node without any descendants,
the time complexity should be constant, because only the edge value
between the new node and its parent is created. If it is possible/allowed
for a node to have multiple parents, the complexity depends on the
number of parents. Assume this number is F, then the complexity is
O(F ). When the new node is added as a parent of some existing nodes,
the edge values between the new node and its children also need to be
computed. Suppose the number of children is S. The time complexity
is O(S). If shortcuts are used, we have to recompute shortcuts. The
computation for shortcuts is in linear time of n. Thus, the total time
complexity is O(n) (Shortcuts are created between centroids and the
root. When a new node is added or deleted, the position of centroids
will move. We have to compute the shortcut again).
Let us consider the operation of deleting a node. When the removed
node is a leaf, nothing needs to be done except discarding the parame-
ters related to the node, so the time complexity is constant. However,
if the removed node is an internal node, the situation is quite different.
The IDi used in the descendant nodes will be changed. ki will also be
recomputed through ki = f (k̂i , IDi ). All edge values related to these
changed ID and k will be recomputed. Since the extreme case is that
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
all the nodes are the descendants of the deleted node, the worst case
time complexity for deleting a node is O(n). In addition, if shortcuts
are used, shortcuts will be also recomputed which is also in the linear
time of n. Thus, the time complexity is O(n).
Let us consider the time complexity for adding/deleting an edge. For
adding an edge, the CA just computes the edge value, which is constant.
If shortcuts are used, they need to be recomputed, which is O(n). As
for deleting an edge, the CA may just discard the edge value. In case
shortcuts are used, there is a need to recompute shortcuts, which is
O(n). One issue is that if the deleted edge was the only way for the
patent node u of the deleted edge to get to its child node s previously,
u should not reach s anymore after deletion. This means that all ID
values of s and its descendants need to be changed. So all the private
keys of these nodes will be recomputed and all the edge values related
to these key and ID values need to be recomputed. This complexity is
O(n).
• The Analysis for Combination of Two Levels.
When a member joins an existing node vi , what needs to be done is to
only distribute the existing k̂i to this new member with a new P (x).
The time complexity will be same as that for the user join operation
at the first level. It is O(m2 ).
When a member is removed from a node vi , the situation is more com-
plicated. The CA will not only change k̂i , select a new IDi and re-
compute ki but also select a new IDj and re-compute kj for all its de-
scendant nodes vj . After that, all edges’ values in the sub-tree rooted
at vi will be recomputed. These steps are in linear time of n. Then the
CA needs to compute Pi (x) by excluding the removed member and dis-
tribute Pi (x) to all the remaining members in vi . This will take O(m2 ).
Thus, the total time complexity is O(m2 + n). If shortcuts are used,
although no node is deleted and the structure of hierarchy does not
change, we also have to recompute the shortcuts because many edge
values have been changed. This will contribute another O(n). So, the
total time complexity is O(m2 + n).
From the above description, we can see that when a member moves
from one node to another, he was just removed from one node and then
joins the other. Thus, the time complexity is the sum of complexities
for joining and leaving, being O(m2 + n) too.
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
DLKM can make grid services secure in data communication and access
control. We discuss how to implement DLKM into the grid computing in
the section.
Domain
R MS D
D
RMS D
Data
Data D
PC CA PC
PC CA
PC PC PC
Domain
(1) A user submits a request for a certain grid service to the RMS control-
ling this domain;
(2) The RMS detects a group of available resources (including computa-
tional resources and data resources);
(3) The RMS informs the CA. The CA randomly generates a key K1 and
then uses the private key ki of node vi to encrypt K1 where vi is the
vertex these resources belong to;
(4) The CA multicasts the encrypted key to these resources and to the
RMS;
(5) The resources with ki can decrypt K1 . The RMS can derive ki first.
Note: the KMS is usually at the top of the hierarchy and vi is its
descendant. Then, the RMS can also obtain the same K1 ;
(6) Thus, these resources together with the RMS can use this common
key K1 to communicate. For example, the RMS needs to send
jobs/programs to the resources, then the resources need to communi-
cate/access/exchange data, and finally the results need to return to the
RMS for composition. All of these communication processes need the
common key K1 to encrypt communication messages for data privacy;
(7) During the process, if certain members (such as system administrators)
need to monitor the whole process, they can derive the private key ki
as long as vi is their descendant, and then decrypt K1 from the public
information generated by the CA. Therefore, they can monitor the
process if they want.
(1) A user submits a request for a certain grid service to the local RMS;
(2) The local RMS finds that besides some local resources, the request
needs to use remote resources from other domains;
(3) The local CA picks up a random K1 and distributes K1 to those local
resources and the local RMS (following the same procedure as above);
(4) The local CA talks with other CAs of those remote domains and dis-
tributes K1 to those CAs, as depicted by Fig. 6.1. There are different
ways to do it. One way is via the RSA system as follows: a) Each CA
has a public key; b) the local CA uses the public key of the correspond-
ing CA to encrypt K1 by the RSA algorithm; c) Each remote CA can
decrypt K1 using its own private key;
(5) Each remote CA uses its own hierarchy and the DLKM mechanism to
distribute K1 to related resources;
(6) Then, the group is formed and the group members can communicate
with one another securely knowing the common Key K1 . The corre-
sponding hierarchical monitoring or data access is also allowed.
that are assigned by the RMS. Moreover, the data source does not know in
advance who requests such types of service, because the service request also
goes to the RMS from users. In this case, many sensitive data sources dare
not dedicate themselves into the data grid due to the dearth/loss of access
control on their own data. The proposed DLKM can solve this concern.
The above described procedure for computational grids can be easily
adjusted to the data grid for access control. The steps of distributing the
common key K1 are similar. Moreover, for a certain sensitive data source
which needs to confine its data access only to trusted users or machines,
the data source should not use the common shared key K1 to encrypt the
data. Rather, it uses its own group private key ki (suppose it belongs
to vertex/group vi ). Then, only those users who are its ancestors and
allowed/trusted to read the data can derive ki via the hierarchical relation
(as Figure 6.2). The following protocol should be abided by:
(1) Sensitive data sent from a data source should be encrypted by its group
private key ki ;
(2) When a trusted machine receives the encrypted data, it can derive ki ;
(3) On the other hand, if a machine is not a trusted one, it cannot get the
correct key ki . In this case, it will report to the RMS and then the RMS
will reassign the job to another machine (computational resource) that
is trusted by the data source according to the publicized hierarchy of
groups.
(4) Then, once a machine obtains ki , it can decrypt the data, and then
operates on the data. If the results out of the sensitive data are also
sensitive, then the machine encrypts the results with ki again before
sending back. The encrypted results are sent to the member/user who
requested this grid service either directly or through the RMS;
(5) When the user obtains the encrypted sensitive results, he can use his
own group private key to derive ki and then decrypts the results. If
he has no right (i.e. neither an ancestor nor in a same group of the
sensitive data source), the results are indecipherable to him without
deriving the correct key ki .
By this DLKM mechanism, data sources can also control access to their
data using keys and encryption without violating the advantages of the
grid computing (large-scale resource sharing). Only those trusted mem-
bers or sites can derive the key and understand the data, whereas other
unauthorized users are unable to understand the encrypted message even
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
though they may be recruited in the grid task and know the common
Key K1 . Apparently, the hierarchical design that defines the relations of
trust/accessibility is very important. If certain data sources are not satis-
fied with the CA’s hierarchical design, they can suggest the CA to modify
or select to quit if the CA cannot accept their requirements. Such strategy
between the CA and members is bi-directed via our DLKM scheme, which
is flexible and fair to both parties who consent on the publicized hierarchy
for maintaining appropriate security levels.
(1) The special request arrives at the RMS and the RMS assigns the avail-
able resources to finish the service while notifying the CA with the
non-monitored requirement.
(2) The CA randomly generates a key K1 , and then uses the first-level
mechanism (rather than the second-level ) in our DLKM to hide and
Thus, the non-monitored grid services can also be offered by our DLKM.
Note that not everybody is allowed to request such service. Only those
special users who need to be strictly authenticated can request such type
of non-monitored services. Without monitoring, some malicious users are
easy to abuse the power of grid computing for their evil purposes.
6.5.5.1 Initialization
Suppose the hierarchy at the second-level is designed as Figure 6.2. Suppose
there are m users in the group represented by the middle vertex 6. For
illustration, we use a simplified example with m = 2 users. User 1 has
personal secret SID1 = 7 and User 2 has SID2 = 9. Then, the group
secret key needs to be distributed to both users (suppose k̂6 = 11 and
z = 5 ). By Eq. (1-2), the following polynomial is generated:
P (x)%13 = {A(x) + K}%13 = {(x − 27⊕5 )(x − 29⊕5 ) + 11}%13
= x2 − 5x + 2 (6.8)
Then, the coefficients of Polynomial (6.8) are publicized in an array as
{ 1,-5,2 }. User 1 computes f (SID1 , z) = 27⊕5 = 4 and substitutes 4 for x
into Eq. (6.8) to obtain -2%13=11. User 2 obtains 11 too. Thus, both of
them get k̂6 = 11. Suppose another user not in this group with SID3 = 6
to substitute his f (SID3 , z) (=8) into Eq. (6.8), then he derives 26%13=0
which is not the key.
2 Dedicated DomainN
Domain
Servers 3 Administrators
Administrators
(12,9,4 )
4 5 6 Dynamic IP
Users Users Resources
7
Fixed IP Group 1 Group2 (8,7,3 )
Confidential Resources (11,8,4)
Data Sources (9,2,8)
The above is just an illustrative example. In our real case study, the
system prime P is not as small as 13, but a number with 128 bits. The
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
number m of users in a group should also be much more than 2, and the
degrees of polynomials are much higher than 3. In addition, a strong secure
one-way hash function other than the one above can be used.
( ( ( ( ( ( ( ( (
Fig. 6.3 Performance for generating polynomials to numbers of group members: (left)
running time vs. group members (m); (right) time is linear to m2
vertex 9, he just needs to plug k6 , ID9 , and r6,9 in kj = ri,j ⊕ f (ki , IDj )
to compute k9 = r6,9 ⊕ f (k6 , ID9 ) = 12 ⊕ 28⊕7 %13 = 4. Once this group
key is obtained, all resources in vertex 9 are available.
authorized users can derive both keys and know the entire results. In
case some malicious resources in group 8, holding K1 = 3, attempt to
access the sensitive data, or some resources are accidentally assigned by
the RMS for operating on the sensitive data, those malicious attempts
from unauthorized users cannot understand the data without the correct
key ( k9 = 4 ). Moreover the accidentally assigned resources can report
to the RMS to reassign other authorized resources to continue the jobs.
As a result, a data source can also control its data privacy through the
above process rather than makes itself known by all involved or assigned
resources/users.
As it is well recognized, grid computing intensively involves collaborative
tasks, which multiple entities work together to complete via interactions,
data exchange and resource sharing. Thus, secure group communication
and hierarchical access control would be necessary in the grid security ar-
chitecture. Our proposed Dual level key management solution is the first to
integrate SGC and HAC systematically for secure grid computing services.
In addition, the prior schemes pose certain assumptions which are difficult
to implement in reality and/or have some problems. For example, most
schemes require that group members be organized/ordered as a tree (called
as member serialization) which exposes group members and their positions.
They also require multiple encryptions and/or multiple round broadcasts
for key updating. In contrast, our ACP based key distribution solution has
no serialization issue, can hide membership, and is able to perform rekeying
with just one polynomial multicast, no matter how many members join or
leave.
6.6 Conclusion
Chapter 7
193
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
be limited to only those authorized, that only the information necessary for
a task be available to them, and finally that personal health information be
protected and kept confidential. However, from the technical point of view,
how to enforce the security of MIS is a challenging question. This chapter
aims to answer this question and provides a practical solution to it.
Dependability is also very important for MIS. For example, it could be
potentially fatal if a patient’s records fail to be loaded due to system failures
and are unavailable in the event of life-threatening emergency. Therefore,
the MIS has very high requirements for reliability. The newly developed
grid computing technology is applied to MISs and proves to be of great
reliability without sacrificing performance.
In summary, the MIS needs very high levels of dependability and secu-
rity. We have implemented our dependability and security mechanisms into
a real MIS, in collaboration with VA (Veterans Affairs) Hospitals and DoD
(Department of Defense) in the U.S. [Schneider (2006)]. The key manage-
ment services and security modules are integrated into this real MIS system
without modifying the existing system components including the client GUI
interface, the MIS application server, and MIS databases. Via this seam-
less integration, the new MIS is able to guarantee patient (data) privacy
and integrity and would improve people’s health and lives. Moreover, the
holistic feature of our mechanism allows different MIS systems from differ-
ent organizations to be integrated together to provide comprehensive clinic
practice, health care services, and medical research. For example, doctors,
professors, and researchers can collaborate to conduct health and medical
research via the integrated MIS system. They can retrieve patient data
from different databases, exchange and share data among them, mine in-
formation, perform statistics, analysis and decision-making, and obtain new
discoveries.
Another very important collaborative service offered by the MIS is tele-
medicine via a way of video conferencing and virtual reality. In this sce-
nario, doctors, specialists, surgeons, nurses, etc. from different places can
conduct consulting, diagnosis, and surgery through the Internet, just as
they would gather together to have a face-to-face meeting to discuss or
diagnose patients. The primary issue for this kind of tele-medicine is the
transmission and processing of different types of signals such as images,
video, audio, multimedia, text, documents, etc. Clearly, the security of
these confidential signals, activities and services is critical. The new MIS,
after integration with our new security and reliability mechanisms, guaran-
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
tees various security needs and provides secure and reliable tele-medicine
service.
The remainder of the chapter is organized as follows. Section 7.2 in-
troduces the background of the Medical Information System; Section 7.3
describes the middleware architecture for key management services that are
used in the MIS; Section 7.4 presents how to improve the MIS reliability
by integrating the Grid computing technology; and Section 7.5 concludes
this chapter.
ing inadequate products may increase the total investment and discourage
providers [Goldschmidt (2005)]. Many obstacles exist along with the way
in developing and deploying HIT/MIS: (1) enormous amounts of money
may need to be expended or even be wasted, (2) vast expenditures must
be invested in the short-term, while most benefits can only be gained in
the long-term, and (3) widespread utilization of HIT/MIS can doubtlessly
improve the quality of health care in the long run. However, improvements
in patient outcomes may be less than expected in the short run. In addi-
tion, the introduction of new technology increases the potential for error at
its initial (and unstable) stage [Goldschmidt (2005)]. All these factors can
affect people’s trust and confidence in MIS. Even though there are a num-
ber of challenges and difficulties, the broad applications of HIT/MIS would
not be blocked. These challenges are not the main obstacles in adopting
HIT/MIS. Instead, what people are concerned about most and affects peo-
ple’s willingness to step into the HIT/MIS age is “the security, privacy, and
confidentiality of their personal health information.” [Goldschmidt (2005)].
We, in collaboration with the VA hospitals and Indiana University School
of Medicine, are putting our effort in this direction and embedding our in-
novative security and dependability technologies into the existing MISs to
create the new generation MIS system.
Like many information systems in other fields, the MIS basically consists
of three components (tiers): client/user interface, database, and applica-
tion servers. (Note: the author in [Goldschmidt (2005)] classifies the MIS
applications (Modules) as: Electronic health record, Personal health record
(controlled by a consumer in contrast to a provider), Decision-support
tools, and Tele-medicine.) For example, in the VISTA system (Veterans
Health Information System and Technology Architecture) of the U.S. De-
partment of Veterans Affairs, the three components are CPRS client (Com-
puterized Patient Record System), VISTA application server, and Database
(See: http://worldvista.sourceforge.net/vista/history/index.html). We im-
plemented and integrated our security modules into the VISTA system to
transform the VISTA into a secure MIS system [Schneider (2006)]. Apart
from the provided security services such as confidentiality, integrity, authen-
tication, fine-tuned access control, and detection of stealing and masquerad-
ing attacks, one prominent feature of our new technology is the seamless
and transparent integration in the sense that the security modules are in-
tegrated without modification of any existing components and users can
continue to use the system in the same way as before.
Legacy MIS systems are generally isolated ones in the sense that each is
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
users
Data Server
VA @ indy
(kernel) Key Management Server
clarion
S
3UID hospital
& Querry 4 PID
data
& Data No
S
Secure Server (SS)
7. reply certificate SID 8 certify ?
Certificate
sp3−secret (pid,uid) r
6 ask certificate e Univ
12 derrive key Yes
j S hospital
13 Encrypt/Decrypy data
5 ask Key e
1 Authenticate server# SID c
user# UID S
UID & PID t
password DoD
VA s
Portable Key
e
14 pass u p
r
Z,P(x) &
2 Request v S
encrypted p Regenstrief
Querry (SSN) i S
Data
Name DoB etc c
e
11 offer No
z,P(x)
9 uid>=pid?
Application Module
15 Derrive key Others
z,P(x) Key
(with P3−Secret)
16 Decrypt / encrypt (k1)
Polinomial Red: new modules
P 3 Secret Generator
User P C
and sends the data along with (z, P (x )) to the user (Step 14). The user can
derive the key from P (x ) (Step 15) and the decrypts the data (Step 16).
Note, the SS is treated as a (super)user and belongs to the highest node
of one organization’s hierarchy, thus the SS can derive the key also under
the HAC design. It is worthy to note that the ACP mechanism does not
constrain data types. Patient data could be in the form of text, images,
video, audio, multimedia, etc. Our security scheme can seamlessly encrypt
all of them and guarantee their confidentiality and integrity.
patient data will be encrypted using K before the data is sent back to the
physician. The K will be hidden in the polynomial P (x) = A(x) + K where
A(x) = (x − f (CID8 , z))(x − f (CID4 , z))(x − f (CID5 , z))(x − f (CID2 , z))
and CIDi is the secret node ID for node i and it is only known to the
users of node i. Thus, physician p2 can obtain K first and then decrypt the
patient data and use it.
p1 P2
P3 P4 P5
P6 P7 P8 P9
Permanent Personal Secret will be detected. One last advantage of our ACP
based MIS system is that the three components are quite independent from
the existing systems and can be integrated into the existing MIS systems
without much modification of the existing systems/databases and without
affecting the existing security functions.
In summary, the new proposed ACP mechanism has been validated to
be powerful and practical by being implemented and integrated into a real
MIS system. The ACP based MIS system has the following properties:
1) support all security functions required by the MIS in a uniform man-
ner; 2) support the seamless integration of different data sources/systems
without the need for centralized master patient index (MPI); 3) provide
fine-tuned access control in terms of users, user groups, data domains, data
records, and record fields; 4) provide portability; and 5) support secure
tele-medicine.
of them below.
7.5 Conclusion
The secure and dependable medical information system will benefit ev-
eryone. Security and reliability come as two important and safety-critical
concerns in developing any mission-critical information systems like medical
information system. We, collaborating with the Veterans Affairs hospitals
(VA) and Indiana University Medical School, have implemented a prelimi-
nary secure medical information system [Goldschmidt (2005)]. The security
and reliability model and the seamless integration capability of the model
have been proven via this system. We are planning to extend it into the
larger scope of MIS systems, such as Regional Health Information Organi-
zation (RHIO) and finally the nation-wide health information system.
This chapter presented the core concepts and techniques of security and
reliability for MIS system. Along with further development of the MIS
systems, new modules and methods will be designed and presented.
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
Bibliography
Abdalla, M., Shavitt, Y. and Wool, A. (2000). Key management for restricted
multicast using broadcast encryption, IEEE/ACM Transactions on Net-
working(TON) , pp. 443–454.
Abraham, A. and Jain, R. (2004). Soft computing models for net-
work intrusion detection systems, http://falklands.globat.com/ softcomput-
ing.net/saman2.pdf .
Abramson, D., Buyya, R. and Giddy, J. (2002). A computational economy for
grid computing and its implementation in the nimrod-g resource broker,
Future Generation Computer Systems 18, 28, pp. 1061–1074.
Adusumili, P. and Zou, X. (2005). KTDCKM-SDC: A distributed conference
key management scheme for secure dynamic conferencing, Proceedings of
THE TENTH IEEE SYMPOSIUM ON COMPUTERS AND COMMUNI-
CATIONS (ISCC) , pp. 476–481.
Adusumilli, P., Zou, X. and Ramamurthy, B. (2005). DGKD: Distributed group
key distribution with authentication capability, Proceedings of 2005 IEEE
Workshop on Information Assurance and Security, West Point, NY, USA,
pp. 476–481.
Agrawal, M., Kayal, N. and Saxena, N. (2002). A deterministic
poly-time primality testing algorithm, IIT Kanpur, India, available at
http://www.cse.iitk.ac.in/users/manindra/primality.ps, accessed in June
2004 .
Akl, S. G. and Taylor, P. D. (1983). Cryptographic solution to a problem of access
control in a hierarchy, ACM Transactions on Computer Systems 1, 3, pp.
239–247.
Al-Duwairi, B. and Govindarasu, M. (2006). Novel hybrid schemes employing
packet marking and logging for ip traceback, IEEE Transactions on Parallel
and Distributed Systems 17, 5, pp. 403–418.
Al-Kahtani, M. A. and Sandhu, R. (2004). Rule-based RBAC with negative au-
thorization, 20th Annual Computer Security Applications Conference (AC-
SAC’04) , pp. 405–415.
Alert, I. S. S. S. (2000). Trinity v3 distributed denial of service tool,
http://xforce.iss.net/xforce/alerts/id/advise59 .
207
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
Bibliography 209
key distribution schemes, Des. Codes Cryptography 32, 1-3, pp. 15–44, doi:
http://dx.doi.org/10.1023/B:DESI.0000029210.20690.3f.
Blundo, C., Mattos, L. A. F. and Stinson, D. R. (1998a). Generalied beimel-chor
scheme for broadcast encryption and interactive key distribution, Theoret-
ical Computer Science 200, pp. 313–334.
Blundo, C., Mattos, L. A. F. and Stinson, D. R. (1998b). Generalized Beimel-Chor
scheme for broadcast encryption and interactive key distribution, Theoret-
ical Computer Science 200, 1-2, pp. 313–334.
Blundo, C., Santis, A. D., Herzberg, A., Kutten, S., Vaccaro, U. and Yung, M.
(1993). Perfect secure key distribution for dynamic conferences, Advances
in Cryptology - CRYPTO’92, LNCS, Springer, Berlin 740, pp. 471–486.
Bolzoni, D., Etalle, S., Hartel, P. and Zambon, E. (2006). POSEIDON: a 2-tier
anomaly-based network intrusion detection system, Fourth IEEE Interna-
tional Workshop on Information Assurance , pp. 144–156.
Bresson, E., Chevassut, O. and Pointcheval, D. (2001). Provably authenticated
group diffie-hellman key exchange - the dynamic case, ASIACRYPT ’01:
Proceedings of the 7th International Conference on the Theory and Appli-
cation of Cryptology and Information Security .
Briscoe, B. (1999). MARKS: Multicast key management using arbitrarily revealed
key sequences, Proceedings of 1st International Workshop on Networked
Group Communication .
Burmester, M. and Desmedt, Y. (1994). A secure and efficient conference key
distribution system, in In Advances in Cryptology - EUROCRYPT.
Canetti, R., Garay, J., Itkis, G., Micciancio, D., Naor, M. and Pinkas, B. (1999a).
Multicast security: a taxonomy and some efficient constructions, Proceed-
ings of INFOCOM’99: Conference on Computer Communications 2, pp.
708–716.
Canetti, R., Malkin, T. and Nissim, K. (1999b). Efficient communication-storage
tradeoffs for multicast encryption, Lecture Notes in Computer Science (Ad-
vances in Cryptology-EUROCRYPT’99) 1592, pp. 459–470.
Cao, J., Jarvis, S. A., Saini, S., Kerbyson, D. J. and Nudd, G. R. (2002). An
agent-based resource management system for grid computing, Scientific
Programming 2, 10, pp. 135–148.
Caronni, G., Waldvogel, K., Sun, D. and Plattner, B. (1998). Efficient security for
large and dynamic multicast groups, Proceedings of the Seventh IEEE In-
ternational Workshop on Enabling Technologies: Infrastructure for Collab-
orative Enterprises (WETICE ’98) (Cat. No.98TB100253) , pp. 376–383.
Chang, C. and Buehrer, D. (1993). Access control in a hierarchy using a one-way
trapdoor function, Computers and Mathematics with Applications 26, 5,
pp. 71–76.
Chang, C.-C., Lin, I.-C., Tsai, H.-M. and Wang, H.-H. (2004). A key assignment
scheme for controlling access in partially ordered user hierarchies, in AINA
(2), pp. 376–379.
Chen, D. J., Chen, R. S. and Huang, T. H. (1997). A heuristic approach to gen-
erating file spanning trees for reliability analysis of distributed computing
systems, Computers and Mathematics with Application , pp. 225–131.
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
Bibliography 211
Bibliography 213
Bibliography 215
Kim, Y., Perrig, A. and Tsudik, G. (2004c). Tree-based group key agreement,
ACM Transactions on Information Systems Security 7, 1, pp. 60–96.
Ko, C., Fink, G. and Levitt, K. (1994). Automated detection of vulnerabilities in
privileged programs by execution monitoring, Proceedings of 10th Annual
Computer Security Applications Conference , pp. 134–144.
Koblitz, N. (1994). A Course in Number Theory and Cryptography (Springer,
Verlag, NY, USA), ISBN 3-540-94293-9.
Kogan, N., Shavitt, Y. and Wool, A. (2003). A practical revocation scheme for
broadcast encryption using smart cards, Proceedings of the 2003 IEEE Sym-
posium on Security and Privacy (SP03) , pp. 225–235.
Korty, A. (2000). mstream forensics analysis, http://itso.iu.edu/staff/
ajk/mstream/ .
Koutepas, G., Stamatelopoulos, F. and Maglaris, B. (2004). Distributed manage-
ment architecture for cooperative detection and reaction to ddos attacks,
Journal of Network and Systems Management Vol. 12 , pp. 73–94.
Krauter, K., Buyya, R. and Maheswaran, M. (2002). A taxonomy and survey of
grid resource management systems for distributed computing, Software -
Practice and Experience 32, 2, pp. 135–164.
Krawetz, N. (2004). Anti-honeypot technology, IEEE Security and Privacy Mag-
azine 2, 1, pp. 76–79.
Kumar, A. (2000). An efficient supergrid protocol for high availability and load
balancing, IEEE Transactions on Computers 49, 10, pp. 1126–1133.
Kumar, S. and Spafford, E. (1994). A pattern matching model for misuse intrusion
detection, Proceedings of 17th Nat’l Computer Security Conference , pp.
11–21.
Kumar, V. K. P., Hariri, S. and Ragavendra, C. S. (1986). Distributed program
reliability analysis, IEEE Transactions on Software Engineering , pp. 42–
50.
Lampson, B. (1974). Protection (computer system access), Operating Systems
Review 8, 1, pp. 18–24.
Lang, B., Foster, I., Siebenlist, F., Ananthakrishnan, R. and Freeman, T. (2006).
A multipolicy authorization framework for grid security, Proceedings of the
Fifth IEEE International Symposium on Network Computing and Applica-
tions , pp. 269–272.
Lee, H. C., Thing, V. L., Xu, Y. and Ma, M. (2003). Icmp traceback with cumula-
tive path, an efficient solution for ip traceback, Lecture Notes in Computer
Science 2836, pp. 124–135.
Lee, P., Lui, J. and Yau, D. (2002). Distributed collaborative key agreement pro-
tocols for dynamic peer groups, Proc. IEEE Int’l Conf. Network Protocols
(ICNP) , pp. 322–333.
Lee, S. C. and Shields, C. (2001). Tracing the source of network attack: A tech-
nical, legal and societal problem, Proceedings of the 2001 IEEE Workshop
on Information Assurance and Security , pp. 239–246.
Lee, W., Stolfo, S. J. and Mok, K. W. (1999). A data mining framework for
building intrusion detection models, 1999 IEEE Symposium on Security
and Privacy , pp. 120–129.
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
Leu, F.-Y., Li, M.-C. and Lin, J.-C. (2006). Intrusion detection based on grid, In
the Proceedings of the International Multi-Conference on Computing in the
Global Information Technology .
Levitin, G. (ed.) (2003). Universal generating function in reliability analysis and
optimization (Morgan-Kaufmann, San Fransisco, CA).
Li, J. and Cordes, D. (2005). A scalable authorization approach for the globus
grid system, Future Generation Computer Systems 21, 2, pp. 291–301.
Li, M., Cui, Y., Tian, Y., Wang, D. and Yan, S. (2006). A new architecture
of grid security system construction, Proceedings of the 2006 International
Conference on Parallel Processing Workshops , pp. 1–6.
Li, X., Wang, Y. and Frieder, O. (2002). Efficient hybrid key agreement protocol
for wireless ad-hoc networks, in IEEE 11th International Conference on
Computer, Communication and Networks, pp. 404–409.
Li, X., Yang, Y., Gouda, M. and Lam, S. (2001). Batch rekeying for secure group
communications, Proc. 10th Int’l WWW Conf. , pp. 525–534.
Lidl, R. and Niederreiter, H. (1986). Introduction to finite fields and their appli-
cations (Cambridge University Press, New York, NY, USA), ISBN 0-521-
30706-6.
Lin, C. (2001). Hierarchical key assignment without public-key cryptography,
Computers and Security 20, 7, pp. 612–619.
Lin, C., Varadharajan, V., Wang, Y. and Pruthi, V. (2004a). Enhancing grid se-
curity with trust management, Proceedings. 2004 IEEE International Con-
ference on Service Computing , pp. 303–310.
Lin, C., Vardhrajan, V. and Wang, Y. (2004b). Enhancing grid security with
trust management, Proceedings of the IEEE International Conference on
Services Computing , pp. 303–310.
Lin, C. H. (1997). Dynamic key management schemes for access control in a
hierarchy, Computer Communications 20, pp. 1381–1385.
Lin, M. S., Chen, M. S., Chen, D. J. and Ku, K. L. (1997). The distributed pro-
gram reliability analysis on ring-type topologies, Computers and Operations
Research , pp. 225–131.
Liu, D., Ning, P. and Sun, K. (2003). Efficient self-healing group key distribu-
tion with revocation capability, in CCS ’03: Proceedings of the 10th ACM
conference on Computer and communications security (ACM Press, New
York, NY, USA), ISBN 1-58113-738-9, pp. 231–240, doi:http://doi.acm.
org/10.1145/948109.948141.
Livny, M. and Raman, R. (1998). High-throughput resource management, in the
grid: Blueprint for a new computing infrastructure, Morgan-Kaufmann ,
pp. 311–338.
Mackinnon, S. T., Taylor, P. D., Meijer, H. and Akl, S. G. (1985). An optimal
algorithm for assigning cryptographic keys to control access in a hierarchy,
IEEE Transactions on Computers 34, 9, pp. 797–802.
Mahajan, R., Bellovin, S. M., Floyd, S., Ioannidis, J., Paxson, V. and Shenker, S.
(2001). Aggregate-based congestion control, URL citeseer.ist.psu.edu/
530614.html.
Menezes, A., Ooschot, P. V. and Vanstone, S. (eds.) (1996). Handbook of applied
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
Bibliography 217
cryptography (CRC Press, Inc., Boca Raton, Florida, USA), ISBN 0-262-
22030-X.
Meyer, J. (1997). On evaluating the performability of degradable computing sys-
tems, IEEE Transactions on Computers , pp. 225–131.
Mirkovic, J., Dietrich, S., Dittrich, D. and Reiher, P. (2004). Internet Denial
of Service: Attack and Defense Mechanisms (Prentice Hall, Upper Saddle
River, NJ, USA), ISBN 0131475738.
Mirkovic, J. and Reiher, P. (2005). D-WARD: a source-end defense against flood-
ing denial-of-service attacks, IEEE Transactions on Dependable and Secure
Computing 2, 3, pp. 216–232.
Mirkovic, J., Robinson, M., Reiher, P. and Kuenning, G. (2003). Alliance forma-
tion for ddos defense, Proceedings of the New Security Paradigms Workshop,
pp. 11–18.
Missing-Author (2003). Is it the cure? Economist .
Mittra, S. (1997a). Iolus: A framework for scalable secure multicasting, Journal
of Computer Communication Reviews 27, 4, pp. 277–288.
Mittra, S. (1997b). Iolus a framework for scalable secure multicasting, in Journal
of Computer Communication Reviews, Vol. 27, pp. 277–288.
More, S. M., Malkin, M., Staddon, J. and Balfanz, D. (2003). Sliding-window
self-healing key distribution, in SSRS ’03: Proceedings of the workshop on
Survivable and self-regenerative systems in ACM CCS 2003 (ACM Press,
New York, NY, USA), ISBN 1-58113-784-2, pp. 82–90, doi:http://doi.acm.
org/10.1145/1036921.1036930.
Moyer, M. J. and Ahamad, M. (2001). Generalized role-based access control, The
IEEE 21st International Conference on Distributed Computing Systems ,
pp. 0391–0396.
Mutz, D., Valeur, F. and Vigna, G. (2006). Anomalous system call detection,
ACM Transactions on Information and System Security 9, 1, pp. 61–93.
Nabrzyski, J., Schopf, J. M. and Weglarz, J. (eds.) (2003). The Grid Resource
Management (Kluwer Publishing).
Ng, W. H. D., Howarth, M., Sun, Z. and Cruickshank, H. (2007). Dynamic bal-
anced key tree management for secure multicast communications, IEEE
Transactions on Computers 56, 5, pp. 577–589.
Noubir, G. (1998). Multicast security, European Space Agency, Project: Perfor-
mance Optimization of Internet Protocol Via Satellite .
Novotny, J., Tuecke, S. and Welch, V. (2001). An online credential repository for
the grid: Myproxy, Proceedings of the Tenth IEEE International Symposium
on High performance Distributed Computing (HPDC-10) , p. 0104.
Park, J. S. and Hwang, J. (2003). RBAC for collaborative environments: Role-
based access control for collaborative enterprise in peer-to-peer computing
environments, Proceedings of the eighth ACM symposium on Access control
models and technologies , pp. 93–99.
Patrikakis, C., Masikos, M. and Zouraraki, O. (2004). Distributed denial of service
attacks, The Internet Protocol Journal 7, 4, pp. 1–10.
Paxson, V. (1999). Bro: A system for detecting network intruders in real-time,
Computer Networks 31, 23-24, pp. 2435–2463.
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
Bibliography 219
Staddon, J., Miner, S., Franklin, M., Balfanz, D., Malkin, M. and Dean, D.
(2002). Self-healing key distribution with revocation capability, in SP ’02:
Proceedings of the 2002 IEEE Symposium on Security and Privacy (IEEE
Computer Society, Washington, DC, USA), ISBN 0-7695-1543-6, p. 241.
Stayrou, A., Cook, D. L., Morein, W. D., Keromytis, A. D., Misra, V. and
Rubenstein, D. (2005). WebSOS: an overlay-based system for protecting
web servers from denial of service attacks, Computer Networks 48, 5, pp.
781–807.
Stillerman, M., Marceau, C. and Stillman, M. (1999). Intrusion detection for
distributed applications, Communications of the ACM Vol. 42 , pp. 62–69.
Stinson, D. R. (ed.) (1995). Cryptography: Theory and Practice (CRC Press, Inc.,
Boca Raton, Florida, USA), ISBN 0-262-22030-X.
Strayer, W. T., Jones, C. E., Tchakountio, F. and Hain, R. R. (2004). SPIE-IPv6:
Single IPv6 packet traceback, Proceedings of 29th Annual IEEE Interna-
tional Conference on Local Computer Networks , pp. 118–125.
Sun, B., Wu, K. and Pooch, U. W. (2003). Alert aggregation in mobile ad hoc
networks, Proceedings of the 2003 ACM workshop on Wireless security ,
pp. 69–78.
Sun, Y. and Liu, K. J. R. (2004). Scalable hierarchical access control in secure
group communications, proceedings of IEEE INFOCOM 2, pp. 1296–1306.
Sung, M. and Xu, J. (2003). Ip traceback-based intelligent packet filtering: A
novel technique for defending against internet ddos attacks, Proc. IEEE
Trans. Parallel and Distributed Systems 14, 9, pp. 861–872.
Sy, D. and Bao, L. (2006). Captra: coordinated packet traceback, in IPSN ’06:
Proceedings of the fifth international conference on Information processing
in sensor networks (ACM Press, New York, NY, USA), ISBN 1-59593-334-
4, pp. 152–159, doi:http://doi.acm.org/10.1145/1127777.1127803.
Tai, A., Meyer, J. and Avizienis, A. (1980). Performability enhancement of fault-
tolerant software, IEEE Transactions on Reliability 42, 2, pp. 227–237.
Tai, A., Meyer, J. and Avizienis, A. (1993). Performability enhancement of fault-
tolerant software, IEEE Transactions on Reliability 42, 2, pp. 227–237.
Tanachaiwiwat, S. and Hwang, K. (2003). Differential packet filtering against
ddos flood attacks, ACM Conference on Computer and Communications
Security (CCS) .
Thomas, R., Zhu, H., Huck, T. and Johnson, T. (2003). Netbouncer: Client-
legitimacy-based high-performance ddos filtering, Proceedings of DARPA
Information Survivability Conference and Exposition 2, pp. 111–121.
Thompson, T. and Brailer, D. (2004). Health it strategic framework, DHHS,
Washington, DC .
Tolone, W., Ahn, G.-J., Pai, T. and Hong, S. (2005). Access control in collabo-
rative systems, ACM Computing Surveys 37, 1, pp. 29–41.
Tripunitara, M. V. and Li, N. (2004). Access control: Comparing the expressive
power of access control models, Proceedings of the 11th ACM conference on
Computer and communications security , pp. 62–71.
Tzeng, W. (2002). A time-bound cryptographic key assignment scheme for access
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
Bibliography 221
Bibliography 223
Index
225
September 22, 2007 0:3 World Scientific Book - 9in x 6in tcc
Index 227
Index 229
Virus, 97
WinNuke, 109
Zombie, 110